Friday, 2021-01-08

openstackgerrit	Kendall Nelson proposed openstack/governance master: Add Resolution of TC stance on the OpenStackClient https://review.opendev.org/c/openstack/governance/+/759904	00:18
*** rcernin has quit IRC		00:44
*** rloo has quit IRC		01:03
*** ircuser-1 has quit IRC		01:12
*** jamesmcarthur has quit IRC		01:21
*** jamesmcarthur has joined #openstack-dev		01:21
*** rcernin has joined #openstack-dev		01:45
*** mlavalle has quit IRC		02:06
*** _mlavalle_1 has joined #openstack-dev		02:07
*** zzzeek has quit IRC		02:09
*** zzzeek has joined #openstack-dev		02:10
*** zzzeek has quit IRC		02:15
*** zzzeek has joined #openstack-dev		02:16
*** eagereagle1 has quit IRC		02:19
*** njohnston has quit IRC		02:37
*** tamas_erdei has joined #openstack-dev		02:37
*** jamesmcarthur has quit IRC		02:39
*** terdei has quit IRC		02:40
*** jamesmcarthur has joined #openstack-dev		02:41
*** zzzeek has quit IRC		02:43
*** zzzeek has joined #openstack-dev		02:45
*** jamesmcarthur has quit IRC		02:45
*** jamesmcarthur has joined #openstack-dev		03:03
*** jamesmcarthur has quit IRC		03:04
*** jamesmcarthur has joined #openstack-dev		03:04
*** ysandeep\|away is now known as ysandeep		03:19
*** pmannidi has quit IRC		03:20
*** pmannidi has joined #openstack-dev		03:21
*** jamesmcarthur has quit IRC		03:31
*** jamesmcarthur has joined #openstack-dev		03:36
*** jamesmcarthur has quit IRC		03:36
*** jamesmcarthur has joined #openstack-dev		03:36
*** rcernin has quit IRC		03:39
*** rcernin has joined #openstack-dev		03:52
*** rcernin has quit IRC		03:52
*** rcernin has joined #openstack-dev		03:52
*** bbowen_ has joined #openstack-dev		04:06
*** ircuser-1 has joined #openstack-dev		04:07
*** bbowen has quit IRC		04:08
*** jamesmcarthur has quit IRC		04:19
*** jamesmcarthur has joined #openstack-dev		04:20
*** njohnston has joined #openstack-dev		04:22
*** jamesmcarthur has quit IRC		04:25
*** jamesmcarthur has joined #openstack-dev		04:26
*** jamesmcarthur has quit IRC		04:31
*** jamesmcarthur has joined #openstack-dev		04:32
*** zzzeek has quit IRC		04:36
*** zzzeek has joined #openstack-dev		04:38
*** zzzeek has quit IRC		04:49
*** zzzeek has joined #openstack-dev		04:51
*** zzzeek has quit IRC		05:05
*** zzzeek has joined #openstack-dev		05:07
*** ysandeep is now known as ysandeep\|afk		05:08
*** zzzeek has quit IRC		05:28
*** zzzeek has joined #openstack-dev		05:31
*** evrardjp has quit IRC		05:33
*** evrardjp has joined #openstack-dev		05:33
*** rcernin has quit IRC		05:36
*** zzzeek has quit IRC		05:38
*** zzzeek has joined #openstack-dev		05:40
*** rcernin has joined #openstack-dev		05:44
*** zzzeek has quit IRC		05:54
*** jamesmcarthur has quit IRC		05:55
*** rcernin has quit IRC		05:56
*** jamesmcarthur has joined #openstack-dev		05:56
*** zzzeek has joined #openstack-dev		05:56
*** jamesmcarthur has quit IRC		06:01
*** gyee has quit IRC		06:11
*** jamesmcarthur has joined #openstack-dev		06:15
*** rcernin has joined #openstack-dev		06:22
*** rcernin has quit IRC		06:23
*** rcernin has joined #openstack-dev		06:24
*** rcernin has quit IRC		06:39
*** rcernin has joined #openstack-dev		06:44
*** zzzeek has quit IRC		06:51
*** zzzeek has joined #openstack-dev		06:53
*** ralonsoh has joined #openstack-dev		07:03
*** rcernin has quit IRC		07:14
*** rcernin has joined #openstack-dev		07:28
*** zzzeek has quit IRC		07:31
*** zzzeek has joined #openstack-dev		07:32
*** jcapitao has joined #openstack-dev		07:41
*** ysandeep\|afk is now known as ysandeep		07:42
*** rcernin has quit IRC		07:43
*** jgriffit1 has quit IRC		07:46
*** dklyle has quit IRC		07:51
*** bbowen has joined #openstack-dev		08:01
*** bbowen_ has quit IRC		08:02
*** whoami-rajat has joined #openstack-dev		08:03
*** jgriffith has joined #openstack-dev		08:07
*** ccamposr has joined #openstack-dev		08:12
*** tamas_erdei is now known as terdei		08:13
*** snapiri has quit IRC		08:15
*** tesseract has joined #openstack-dev		08:16
*** jamesmcarthur has quit IRC		08:16
*** zzzeek has quit IRC		08:21
*** miloa has joined #openstack-dev		08:22
*** zzzeek has joined #openstack-dev		08:23
*** zzzeek has quit IRC		08:27
*** zzzeek has joined #openstack-dev		08:28
*** rpittau\|afk is now known as rpittau		08:32
*** tesseract has quit IRC		08:41
*** tesseract has joined #openstack-dev		08:42
*** jamesmcarthur has joined #openstack-dev		08:47
*** jamesmcarthur has quit IRC		08:52
*** tkajinam has quit IRC		08:55
*** maharg101 has joined #openstack-dev		08:56
*** tosky has joined #openstack-dev		08:56
*** zzzeek has quit IRC		08:57
*** zzzeek has joined #openstack-dev		08:58
*** jpich has joined #openstack-dev		09:00
*** ysandeep is now known as ysandeep\|lunch		09:22
*** tesseract has quit IRC		09:36
*** tesseract has joined #openstack-dev		09:36
*** tesseract has quit IRC		09:38
*** tesseract has joined #openstack-dev		09:38
*** zzzeek has quit IRC		09:44
*** zzzeek has joined #openstack-dev		09:46
*** gfidente\|afk is now known as gfidente		09:47
*** zzzeek has quit IRC		09:56
*** zzzeek has joined #openstack-dev		09:57
*** dtantsur\|afk is now known as dtantsur		09:57
*** ttx has quit IRC		10:16
*** ttx has joined #openstack-dev		10:17
*** zzzeek has quit IRC		10:18
*** zzzeek has joined #openstack-dev		10:20
*** zzzeek has quit IRC		10:27
*** zzzeek has joined #openstack-dev		10:29
*** yumiriam has joined #openstack-dev		10:43
*** jcapitao is now known as jcapitao_afk		10:53
*** jamesmcarthur has joined #openstack-dev		11:04
*** jamesmcarthur has quit IRC		11:09
*** zzzeek has quit IRC		11:18
*** zzzeek has joined #openstack-dev		11:20
*** whoami-rajat__ has joined #openstack-dev		11:26
*** whoami-rajat has quit IRC		11:27
*** ysandeep\|lunch is now known as ysandeep		11:32
*** zzzeek has quit IRC		11:38
*** zzzeek has joined #openstack-dev		11:43
*** jpich has quit IRC		11:44
*** jpich has joined #openstack-dev		11:45
*** bbowen_ has joined #openstack-dev		12:10
*** bbowen has quit IRC		12:10
*** ccamposr__ has joined #openstack-dev		12:14
*** ccamposr has quit IRC		12:17
*** zzzeek has quit IRC		12:28
*** zzzeek has joined #openstack-dev		12:30
*** jcapitao_afk is now known as jcapitao		12:31
*** zzzeek has quit IRC		12:42
*** zzzeek has joined #openstack-dev		12:45
*** SotK has quit IRC		12:52
*** SotK has joined #openstack-dev		12:52
*** miloa has quit IRC		13:34
*** miloa has joined #openstack-dev		13:37
*** ccamposr__ has quit IRC		13:48
*** morazi has quit IRC		13:52
*** _mlavalle_1 has quit IRC		13:58
*** mlavalle has joined #openstack-dev		13:58
*** zzzeek has quit IRC		13:59
*** dtantsur is now known as dtantsur\|brb		14:00
*** zzzeek has joined #openstack-dev		14:01
*** morazi has joined #openstack-dev		14:03
*** rloo has joined #openstack-dev		14:13
*** jgriffith has quit IRC		14:39
*** ccamposr has joined #openstack-dev		14:46
*** rpittau is now known as rpittau\|afk		14:46
*** ysandeep is now known as ysandeep\|away		14:49
*** jamesmcarthur has joined #openstack-dev		15:06
*** jamesmcarthur has quit IRC		15:10
*** pcaruana has quit IRC		15:13
*** pcaruana has joined #openstack-dev		15:13
*** nweinber has joined #openstack-dev		15:14
*** miloa has quit IRC		15:32
*** zzzeek has quit IRC		15:38
*** nweinber has quit IRC		15:39
*** zzzeek has joined #openstack-dev		15:41
*** dtantsur\|brb is now known as dtantsur		15:45
*** dklyle has joined #openstack-dev		15:49
dansmith	lbragstad: poke	15:54
lbragstad	o/	15:54
dansmith	lbragstad: hey, wondering if you can point me in the right direction	15:55
lbragstad	dansmith i can try - what's up?	15:55
dansmith	lbragstad: I want to make a simpleish http call to another service, by address, from inside a request handler, using the user's token	15:55
dansmith	basically "oops, this is the wrong service, let me proxy that for you" sort of deal	15:56
lbragstad	ok	15:58
dansmith	actually, someone else pointed me at something in nova which might be what I want, although I'm sure it's not going to go straight to the host	15:58
dansmith	lemme get a clean link	15:58
dansmith	'https://github.com/openstack/nova/blob/stable/ussuri/nova/network/neutron.py#L260-L276	15:59
dansmith	that will give me an adapter that uses the user's token it seems	15:59
dansmith	and from that I guess I can do a client.get() ,,,	16:00
*** jgriffith has joined #openstack-dev		16:00
dansmith	but will that let me use a full url, or does that have to go through the catalog? the example I see just provides a relative url, not one with a host	16:01
*** jamesmcarthur has joined #openstack-dev		16:01
lbragstad	so - iiuc you should be able to use the session object associated with that client	16:02
lbragstad	and that should give you the ability to call https://opendev.org/openstack/keystoneauth/src/branch/master/keystoneauth1/session.py#L644-L648	16:02
dansmith	okay, so that client is catalog-only, but if I sniff out the session I can go direct?	16:03
lbragstad	yes - i think so	16:03
dansmith	okay thanks I'll try it	16:03
lbragstad	ok - let me know if that doesn't work	16:03
lbragstad	but if you dig deep enough into ksa - you should be able to curate your own requests and bypass any of the catalog logic or assumptions	16:04
dansmith	ack thanks	16:05
*** zzzeek has quit IRC		16:10
*** zzzeek has joined #openstack-dev		16:12
dansmith	lbragstad: actually, unwinding that code in nova, it goes pretty deep and interacts with the config for things I'm not quite sure about	16:17
dansmith	if I get the auth plugin from context.get_auth_plugin(), can I just initialize a Session directly with that and go?	16:21
*** ircuser-1 has quit IRC		16:29
dansmith	man, nova has so much wrapped around this	16:33
*** zzzeek has quit IRC		16:35
*** zzzeek has joined #openstack-dev		16:37
*** whoami-rajat__ has quit IRC		16:39
lbragstad	dansmith yeah - that's a good question, i was just looking at that	16:42
dansmith	I think I might've gotten it	16:42
lbragstad	it looks like most of it comes from config, so keystone_authtoken credentials?	16:42
dansmith	well, I dunno, I think there's all kinds of auth plugn swap-ability, which I don't care about if I'm just feeding it the existing token	16:42
dansmith	I copied and cut out some stuff from nova and am working on trying it	16:43
dansmith	I got it to make a call to another http server, I just need to set up another openstack service to have it call	16:43
dansmith	lbragstad: are you a reasonable person to look at the keystoney bits of this when I have something posted?	16:43
dansmith	like, to tell me "that won't work if the deployment is configured with fancypants9000 auth" or something	16:44
lbragstad	i'm not sure how helpful i'll be but i can take a look	16:44
dansmith	okay thanks	16:44
lbragstad	does nova not have a way to get a client using a session with a user token? i think all the ksa session i'm seeing are using the nova service user creds	16:47
dansmith	well, it used to in the neutron module, which is the url I pasted above, but it's very roundabout	16:48
dansmith	I'm actually doing this for glance and so I had to just strip out the bits of the nova stuff down to the "give me an adapter for the current token" bits	16:49
lbragstad	ok - that makes sense	16:51
*** nweinber has joined #openstack-dev		16:57
*** gyee has joined #openstack-dev		16:58
*** jpich has quit IRC		17:02
*** jcapitao has quit IRC		17:03
*** jamesmcarthur has quit IRC		17:04
dansmith	lbragstad: dude.	17:15
dansmith	I think it works.	17:15
lbragstad	\o/	17:16
lbragstad	so - you were able to dig out an instance of the Session and use that?	17:16
dansmith	I just created a Session with auth= set to an auth plugin initialized from the token	17:17
lbragstad	nice	17:17
dansmith	nova has this auth plugin subclass that takes a token, so I copied that	17:18
lbragstad	nova needed to subclass that?	17:18
*** tesseract has quit IRC		17:18
* lbragstad thought there was a plugin for that in ksa		17:19
dansmith	lbragstad: needed to, or did? :)	17:19
dansmith	lbragstad: if so, that'd reduce the amount of crap I have to clean up	17:19
lbragstad	do you have a link to the subclass?	17:19
dansmith	https://github.com/openstack/nova/blob/master/nova/context.py#L51	17:20
lbragstad	https://opendev.org/openstack/keystoneauth/src/branch/master/keystoneauth1/identity/v3/token.py#L35	17:21
lbragstad	you might be able to use this	17:24
lbragstad	https://docs.openstack.org/keystoneauth/latest/api/keystoneauth1.identity.v3.html#keystoneauth1.identity.v3.TokenMethod	17:24
dansmith	okay I can try that	17:24
lbragstad	like this example, but using v3.Token instead of v3.Password	17:25
lbragstad	https://docs.openstack.org/keystoneauth/latest/authentication-plugins.html#v3-identity-plugins	17:25
lbragstad	the session should be able to deal with whatever auth plugins are passed in	17:25
dansmith	okay	17:27
*** frenzy_friday has quit IRC		17:29
dansmith	lbragstad: https://pastebin.com/raw/rU2GmXwc	17:36
lbragstad	dansmith do you have a snippet of the code you're running?	17:37
dansmith	lbragstad: https://pastebin.com/3equSf8k	17:38
dansmith	lbragstad: that returns the session, and then I do a session.post() on it	17:38
dansmith	note it works with the commented-out line, which uses that nova subclass	17:38
lbragstad	weird... and it fails in post()?	17:39
dansmith	yup	17:39
*** nweinber has quit IRC		17:42
lbragstad	seems like a gap in that plugin	17:43
dansmith	okay well, in that case I'll clean what I have up and mark it as "should be replaced by something generic in keystoneauth1"	17:46
lbragstad	yeah - that works, what version are you using?	17:47
lbragstad	of ksa	17:47
dansmith	dan@guaranine:/opt/stack/glance$ pip3 freeze \| grep keystoneauth1	17:47
dansmith	keystoneauth1==4.3.0	17:47
dansmith	whatever devstack installed this morning	17:48
lbragstad	that's the latest release and nothing has been merged to master since	17:54
lbragstad	i opened a bug	17:56
lbragstad	https://bugs.launchpad.net/keystoneauth/+bug/1910788	17:56
openstack	Launchpad bug 1910788 in keystoneauth "Using request() methods on session objects with Token plugins break" [Undecided,New]	17:56
lbragstad	dansmith possible workaround	18:13
lbragstad	https://bugs.launchpad.net/keystoneauth/+bug/1910788/comments/2	18:13
openstack	Launchpad bug 1910788 in keystoneauth "Using request() methods on session objects with Token plugins break" [Undecided,New]	18:13
dansmith	lbragstad: but I need to know the auth url?	18:14
lbragstad	yeah - https://opendev.org/openstack/keystoneauth/src/branch/master/keystoneauth1/identity/v3/token.py#L53 =/	18:14
lbragstad	i guess if you don't have that then you can't use it	18:15
*** ralonsoh has quit IRC		18:17
lbragstad	it looks like the _ContextAuthPlugin wrapper has a service catalog?	18:27
lbragstad	https://github.com/openstack/nova/blob/master/nova/context.py#L59	18:27
lbragstad	dansmith yeah - i don't think the AuthMethod implementation or it's subclasses are meant to work that way - the same thing is true for the PasswordMethod	18:31
lbragstad	http://paste.openstack.org/show/801520/	18:31
lbragstad	iiuc - the reason it works in nova is because _ContextAuthPlugin is subclassing BaseAuthPlugin - which implements get_headers()	18:32
*** ccamposr has quit IRC		18:32
*** ccamposr has joined #openstack-dev		18:35
*** ccamposr has quit IRC		18:39
lbragstad	doing a bit more digging and i think the service catalog provided to the constructor of _ContextAuthPlugin ultimately comes from the headers of the request, which are set by keystonemiddleware - so it should be the service catalog associated with the token used in the request	18:40
*** dtantsur is now known as dtantsur\|afk		18:43
lbragstad	yeah - nova is pulling it out manually https://github.com/openstack/nova/blob/master/nova/api/auth.py#L100	18:45
*** gfidente is now known as gfidente\|afk		19:00
*** ccamposr has joined #openstack-dev		19:01
*** zlr20830 has joined #openstack-dev		19:02
*** maharg101 has quit IRC		19:05
*** mcriswell has joined #openstack-dev		19:15
*** zlr20830 has quit IRC		19:17
*** nweinber has joined #openstack-dev		19:19
*** jamesmcarthur has joined #openstack-dev		19:23
dansmith	lbragstad: ack, so.. should I be doing something different?	20:01
dansmith	lbragstad: this is what I have right now, btw: https://review.opendev.org/c/openstack/glance/+/769976/1/glance/context.py	20:01
lbragstad	dansmith looking	20:08
dansmith	I guess I'm not sure about that nova code which de-json's the service catalog from the request.. surely that'd be a huge hole	20:09
*** jamesmcarthur has quit IRC		20:11
dansmith	config does have the auth_url and identity_uri,	20:11
dansmith	which look to match the workaround in your comment	20:11
dansmith	so if using that code and stuffing one of those in for the service catalog url, I can surely do that	20:11
*** ccamposr__ has joined #openstack-dev		20:14
*** ccamposr has quit IRC		20:14
dansmith	lbragstad: when I do that, I get 404 from the remote side, presumably because I'm not auth'd	20:21
dansmith	specifically this: auth = identity.v3.Token(CONF.keystone_authtoken.identity_uri, context.auth_token)	20:21
lbragstad	yeah - that would work, too	20:21
lbragstad	then you won't need to subclass the authplugin	20:22
dansmith	but ^	20:22
*** jamesmcarthur has joined #openstack-dev		20:22
lbragstad	otherwise - you can do something like: http://paste.openstack.org/show/801524/	20:30
lbragstad	the identity_endpoint that's extracted from the service catalog in the header should be the identity endpoint/vip that was used to create context.auth_token	20:32
dansmith	lbragstad: I'm confused... is Token going to actually use the url we give it or are we just trying to give it something because it requires a param there? since I'm giving it the token, shouldn't it just be passing that straight on through like the from-nova hack does?	20:33
lbragstad	Token should use the url you pass it - the _ContextAuthPlugin in nova has it's own service catalog passed in	20:34
lbragstad	i think the reason why you need to give Token an auth_url is because it needs to know where to validate that token	20:35
dansmith	but..	20:37
dansmith	lbragstad: it's already been validated, I just need to pass it along in the request to the other side	20:37
dansmith	that side should validate it, but I don't want to validate it again before I use it to make another request	20:37
lbragstad	yeah - that makes sense	20:38
dansmith	lbragstad: so does that mean maybe my hack is actually what I should keep to avoid a bunch of code and another token verify?	20:39
lbragstad	i'm double checking that now	20:39
*** jamesmcarthur has quit IRC		20:39
lbragstad	i don't see anything in the AuthConstructor/BaseIdentityPlugin inheritance that performs a validation in the constructor - checking session side quick	20:42
lbragstad	ok - yeah...	20:50
dansmith	hack is good? :)	20:51
*** diablo_rojo__ has joined #openstack-dev		20:59
*** maharg101 has joined #openstack-dev		21:02
lbragstad	ok - wow	21:02
lbragstad	so - this is what you originally hit https://opendev.org/openstack/keystoneauth/src/branch/master/keystoneauth1/session.py#L780	21:03
lbragstad	which calls https://opendev.org/openstack/keystoneauth/src/branch/master/keystoneauth1/plugin.py#L106	21:03
lbragstad	bounces back to the session https://opendev.org/openstack/keystoneauth/src/branch/master/keystoneauth1/session.py#L1213	21:04
lbragstad	and finally calls the auth plugin https://opendev.org/openstack/keystoneauth/src/branch/master/keystoneauth1/session.py#L1191	21:04
*** maharg101 has quit IRC		21:06
lbragstad	and ultimately makes it here https://opendev.org/openstack/keystoneauth/src/branch/master/keystoneauth1/identity/v3/base.py#L186	21:07
dansmith	can I just take a moment to say that I think what i'm asking to do here is not super crazy, yet this whole foray has made me question everything? :P	21:08
lbragstad	so - if i'm not too confused... it appears that calling get_auth_headers() via session.request() does invoke an auth request...	21:09
lbragstad	no - the use case is really simple to understand	21:09
lbragstad	but following the code to figure out if that's actually doing what we think is really opaque	21:10
dansmith	seems like it	21:11
*** slaweq has quit IRC		21:13
lbragstad	dansmith actually - https://docs.openstack.org/keystoneauth/latest/authentication-plugins.html#simple-plugins	21:21
lbragstad	^ that might be what you want	21:21
lbragstad	a = token_endpoint.Token('http://192.168.1.150/identity/', token)	21:21
lbragstad	the get_token implementation is the same as the _ContextAuthPlugin	21:23
lbragstad	https://opendev.org/openstack/keystoneauth/src/branch/master/keystoneauth1/token_endpoint.py#L30-L31	21:23
*** nweinber has quit IRC		21:37
dansmith	lbragstad: that's what I tried above and pasted the 404	21:39
dansmith	[12:21:07] <dansmith> lbragstad: when I do that, I get 404 from the remote side, presumably because I'm not auth'd	21:39
dansmith	[12:21:38] <dansmith> specifically this: auth = identity.v3.Token(CONF.keystone_authtoken.identity_uri, context.auth_token)	21:39
dansmith	er, wait,	21:40
dansmith	maybe that's not what I'm doing	21:40
dansmith	mine comes from identity	21:40
dansmith	huh-friggin-zuh!	21:42
lbragstad	yeah..	21:42
dansmith	works, thanks a bunch	21:43
lbragstad	i tripped over the overridden get_token() implementation and didn't know what it was	21:43
lbragstad	because it's an auth plugin, not grouped with the rest of the auth plugins...	21:43
lbragstad	so - that's fun... sorry for the wild goose chase	21:43
dansmith	no worries, I sent us on said chase	21:44
*** jamesmcarthur has joined #openstack-dev		22:14
*** jamesmcarthur has quit IRC		22:17
*** rloo has quit IRC		22:59
*** yumiriam has quit IRC		23:15

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!