#openstack-keystone log

17:04:37 <kmalloc> #startmeeting keystone-office-hours
17:04:38 <openstack> Meeting started Tue Oct  2 17:04:37 2018 UTC and is due to finish in 60 minutes.  The chair is kmalloc. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:04:39 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:04:42 <openstack> The meeting name has been set to 'keystone_office_hours'
17:29:03 <kmalloc> ayoung: -1 on the explicit domain id for a few reasons, but mostly because the validation is insufficient.
17:29:30 <ayoung> WFM
17:29:41 <ayoung> I assume you expand on that in the review?
17:36:24 <kmalloc> ayoung: yeah i've highlighted my concerns
17:36:52 <kmalloc> ayoung: mostly things like the uuid you generated isn't what keystone would store internally, it has '-' in it. does shorter hex-only strings work
17:36:53 <kmalloc> etc
17:37:17 <kmalloc> you're probably going to need to implement json-schema or explicit cast of id to a uuid.hex
17:37:39 <kmalloc> default and domain-root (whatever the id is) are the only exceptions for "uuid-is-the-form-of-the-id" for domains
17:37:50 <kmalloc> and specifically uuid.hex
17:44:24 <hrybacki> kmalloc: ack. I'm getting pushed for something more formal or I wouldn't ask :)
18:00:19 <kmalloc> on my long list of todo
18:00:37 <kmalloc> formal docs. but really "enable caching. enable service-ksm caching sharing a pool"
18:00:43 <kmalloc> that is the best practices.
18:04:37 <knikolla> any opinion/preference on the term refreshable vs renewable for app creds?
18:11:51 <kmalloc> flip a coin
18:12:04 <kmalloc> i think renewable is a better term.
18:12:15 <kmalloc> but i have no qualms with either name
18:18:16 <kmalloc> knikolla: https://review.openstack.org/#/c/606195/ that needs your +2
18:18:47 <knikolla> kmalloc: i think i'll go for renewable.
18:18:53 <knikolla> looking now
18:19:06 <openstackgerrit> Morgan Fainberg proposed openstack/keystone master: WIP: Convert auth to flask native dispatching  https://review.openstack.org/603461
18:19:40 <kmalloc> and now... time to chase the last bugs with the auth conversion so we can land it and be much closer to being done with flaskification
18:22:25 <kmalloc> cmurphy: are you ok with me breaking the json_home a little more. basically elminating the OS-FEDERATION entries in lieu of the /v3/auth/ entries only?
18:22:40 <kmalloc> knikolla, ayoung, gagehugo: ^
18:23:15 <kmalloc> basically: just dropping OS-FEDERATION entries from json_home where there is a mirrored bit in the /v3/auth locations
18:24:19 <knikolla> kmalloc: would that break someone who is using json_home to discover the url?
18:24:36 <kmalloc> only if they are trying to discover /OS-FEDERATION bits we deprecated
18:24:50 <kmalloc> also... i don't know of a single person using jsonhome
18:25:03 <kmalloc> it's... not a great document for discovery
18:25:18 <kmalloc> i think it's easier to just use the openstack docs and look up the URL :P
18:26:08 <mogindi> have a question regarding keystone token issuing, anyone know who the best person to help me?
18:26:20 <knikolla> IIRC ayoung has a blog post on how to consume json_home
18:26:30 <knikolla> but I'm cautiously okay with removing deprecated bits from it
18:26:31 <kmalloc> mogindi: lots of folks here, ask away
18:27:55 <kmalloc> knikolla: if it's important i can add a way to add in "extra" REL data
18:28:17 <kmalloc> but basically with auth conversion, i didn't assume we'd have entries in two locations for the same data (conversion for that one bug fix)
18:28:34 <knikolla> i tremble upon hearing the word "extra"
18:28:46 <kmalloc> knikolla: e.g. i am missing the entry now for OS-FERDERATION/1.0/rel/projects because i have it as /auth/projects
18:29:05 <mogindi> kmalloc: I'm issuing a token using `openstack token issue`, plug the token id generated in an rc file and export along with OS_ env vars. I'm able to run commands as that user normally, but some commands are failing giving a 401. Ever seen that?
18:29:18 <kmalloc> we used to have it listed in both locations. but with the move to use the same code, i don't have a mechanism to add both json_home rel data bits.
18:29:21 <kmalloc> knikolla: ^
18:29:55 <kmalloc> knikolla: i could split the code back out, but now in flask we really do map the URLs to both locations (direct route) so no code duplication or even a "call other controller"
18:30:00 <kmalloc> it is the same exact controller/resource
18:30:15 <knikolla> kmalloc: understood. in that case i think it's fine to remove it.
18:30:38 <kmalloc> mogindi: i'd need to know more about waht is failing. is it failing after a period of time?
18:30:45 <kmalloc> mogindi: tokens expire
18:32:43 <kmalloc> knikolla: i'm going to just drop the OS-FEDERATION entries and add them back in if folks complain
18:32:51 <mogindi> kmalloc: its not the expiration. its right after generating the token. The command `openstack volume list` works, but for example `openstack volume type list` returns a 401
18:32:53 <kmalloc> knikolla: that is i think 2-4 of the failing tests :P
18:33:11 <kmalloc> mogindi: do you have the correct roles to list that?
18:33:20 <kmalloc> mogindi: odd that you're getting a 401 vs a 403.
18:34:03 <kmalloc> i would expect that to be a 403 without the roles. but i haven't looked at how cinder does enforcement
18:34:03 <mogindi> kmalloc: yeah if its a policy issue, normally would get a 403. Tried setting identical policies to make sure, didn't work
18:34:44 <kmalloc> so if you do: openstack volume list, openstack volume type list, openstack volume list
18:34:49 <kmalloc> the middle of the two commands would fail
18:34:54 <mogindi> yes
18:35:05 <kmalloc> but the other two would work (assuming in short order use)
18:35:16 <kmalloc> wierd
18:35:16 <mogindi> yes exactly
18:35:35 <kmalloc> you might need to get some debug output for us. this might also be something we need to loop in #openstack-cinder folks on
18:35:43 <kmalloc> is cinder the only place you're seeing this?
18:35:45 <kmalloc> or other commands.
18:36:05 <kmalloc> e.g. is it super wide spread or just some things, which might be some odd enforcement thing
18:36:15 <mogindi> nope. `openstack router create` doesn't work either
18:36:23 <kmalloc> with a 401.
18:36:27 <mogindi> there could be others, but these are the 2 i know of right now
18:36:40 <kmalloc> are you an admin or a normal user?
18:36:55 <kmalloc> [or is this a public cloud somewhere]?
18:37:16 <mogindi> tried with both. Its our cloud.
18:38:19 <kmalloc> and finally, what version of openstack?
18:38:30 <kmalloc> just in case i need to check if there is something specific to a release.
18:39:19 <mogindi> pike
18:39:25 <kmalloc> [ideally, i'd like to get some info, [debug] sanitized logs from cinder for example if things are possible], and i'd like to see the debug output of the osc run too
18:40:20 <mogindi> okay. where should i paste these logs?
18:50:14 <knikolla> mogindi: paste.openstack.org usually works well
18:50:41 <ayoung> knikolla, kmalloc my blog post does not really cover that use case
18:51:43 <ayoung> Just really how to fetch the data.  The real question is whehter OS-FEDERATION would be the path people look for based on old docs
18:52:44 <ayoung> https://docs.openstack.org/security-guide/identity/federated-keystone.html
18:52:46 <ayoung> HMMM
18:53:16 <ayoung> I think we might have an issue with just removing that, as all of the docs state that you need to have those there in order to set up Federation
18:53:25 <ayoung> https://docs.openstack.org/security-guide/identity/federated-keystone.html  For example
18:54:08 <ayoung> is that what is going to move, or just things like /auth/projects?
18:54:48 <knikolla> ayoung: if i understand correctly, those paths will still work (ex. /OS-FEDERATION/projects) they just won't be advertised on json_home
18:55:13 <ayoung> Do we get any form of documentation?  Can we put a comment in there?
19:06:29 <openstackgerrit> ayoung proposed openstack/keystone-specs master: Unscoped Token Catalog  https://review.openstack.org/607346
19:12:25 <kmalloc> i'll just add a mechanism for the additional rel entries
19:12:28 <kmalloc> bleh.
19:15:45 <mogindi> kmalloc: http://paste.openstack.org/show/731291/
19:15:57 <mogindi> let me know if there's something specific u need
19:26:07 * kmalloc drinks more coffee and pokes at paste
19:27:05 <kmalloc> ok.. i want to loop in some cinder folks.
19:32:41 <kmalloc> mogindi: you might want to join #openstack-cinder as well. I don't know how some things are failing with 401 vs 403. might ask you to post your cinder config (with passwords/sensitive data stripped out)
19:43:05 <kmalloc> mogindi: can you do this with cinderclient as well?
19:43:21 <kmalloc> mogindi: want to see if there is an issue with OSC / different response for volume list and type list
19:43:26 <mogindi> okay just joined #openstack-cinder
19:43:33 <mogindi> okay gonna try
19:47:57 <mogindi> kmalloc: cinder commands not working with token, getting "ERROR: argument --os-token: conflicting option string(s): --os-token" - troubleshooting
19:51:05 <kmalloc> blink
21:28:50 <openstackgerrit> ayoung proposed openstack/keystone master: Allow an explicit_domain_id parameter when creating a domain  https://review.openstack.org/605235
21:40:47 <kmalloc> knikolla: ok so...
21:41:19 <kmalloc> knikolla: i don't have a good way to maintain json home things. it also looks like there is an issue with using the alternate_url bits i implemented :(
21:42:20 <kmalloc> any "prefix" on the API will apply to the mapping as well
21:42:23 <kmalloc> grrrr.
21:42:38 <knikolla> :/
21:43:52 <kmalloc> i'll have a whole bunch of "fixes" down the road.
21:46:02 <kmalloc> i'm just debating what to do next... i guess alternate_urls preclude using an API prefix
21:46:34 <kmalloc> i'm going to add that logic in as well
21:46:36 <kmalloc> bleh
22:16:36 <openstackgerrit> Merged openstack/keystone master: Properly replace flask view args in links  https://review.openstack.org/606195
02:53:40 <kmalloc> holy crap. i think i have it done.
02:53:59 <kmalloc> auth is running tests locally and then will be pushed up.
02:54:02 <kmalloc> #endmeeting