Thursday, 2014-06-19

openstackgerrit	Brant Knudson proposed a change to openstack/keystone: Update sample config https://review.openstack.org/101058	00:02
openstackgerrit	Brant Knudson proposed a change to openstack/keystone: Document pkiz as provider in config https://review.openstack.org/101059	00:02
*** richm has left #openstack-keystone		00:08
openstackgerrit	Brant Knudson proposed a change to openstack/python-keystoneclient: Imports to fix build warnings https://review.openstack.org/99745	00:12
openstackgerrit	Brant Knudson proposed a change to openstack/python-keystoneclient: Doc build fails if warnings https://review.openstack.org/101061	00:12
bknudson	^ will help us keep our docstrings clean	00:13
*** leseb has joined #openstack-keystone		00:15
*** leseb has quit IRC		00:20
*** praneshp has quit IRC		00:28
*** diegows has joined #openstack-keystone		00:37
jamielennox	ayoung: do you have a v2 trust token handy?	00:44
ayoung	jamielennox, hmmm	00:44
*** dims_ has quit IRC		00:46
*** dims_ has joined #openstack-keystone		00:48
jamielennox	ayoung: guess not - i just figured you might have had one generated there that you were using for testing	00:49
ayoung	nah, had an 8 year old get out of bed on me	00:51
ayoung	thoughtthe ritual was completed	00:51
ayoung	jamielennox, I don't have one, but shouldn't be too hard to do	00:51
jamielennox	ayoung: yea, i'm pretty sure i know how to do it - but i'll have to do it manually with the client and i'm lazy	00:53
ayoung	should have a script for it...let me check	00:55
jamielennox	ergh, can't use trust_id from the cmdline?	00:59
*** dims_ has quit IRC		01:05
openstackgerrit	A change was merged to openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/96265	01:05
openstackgerrit	A change was merged to openstack/keystone: fix flake8 issues https://review.openstack.org/100628	01:05
openstackgerrit	A change was merged to openstack/keystone: Updated from global requirements https://review.openstack.org/99076	01:05
*** dims_ has joined #openstack-keystone		01:07
*** diegows has quit IRC		01:09
*** mberlin1 has joined #openstack-keystone		01:11
*** mberlin has quit IRC		01:13
jamielennox	ayoung: did you find it - cause i'm getting this: http://paste.fedoraproject.org/110989/14050614/	01:15
jamielennox	ie, works for v3 not for v2	01:15
*** leseb has joined #openstack-keystone		01:16
jamielennox	and i'm just wondering how long that's been the case	01:16
ayoung	jamielennox, what "works"	01:16
ayoung	or doesn't? What am I looking at?	01:17
jamielennox	see output at the end of paste	01:17
jamielennox	when i do the v2 i end up with an unscoped token, when i do v3 i get the trust scoped token	01:17
ayoung	that top token is created with a trust?	01:17
ayoung	line 35?	01:17
jamielennox	the code i used is at the top	01:18
ayoung	DEBUG:keystoneclient.session:REQ: curl -i -X POST http://localhost:5000/v2.0/tokens -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -d '{"auth": {"passwordCredentials": {"username": "bob", "password": "bob1"}, "trust_id": "0b16de31a8c64fd5b0054054db468a00"}}'	01:18
jamielennox	yep	01:19
ayoung	jamielennox, I suspect the trust_id is in the wrong place in the top request, and it is getting ignored	01:19
jamielennox	ayoung: that means it's been broken since.... forever	01:19
*** RockKuo_Office has joined #openstack-keystone		01:21
*** leseb has quit IRC		01:21
ayoung	let me see...this is in /token/controller...	01:22
ayoung	try disabling trusts and rerunning it	01:23
ayoung	CONF.trust.enabled	01:23
ayoung	it looks right	01:23
*** browne has quit IRC		01:24
jamielennox	AuthFailure trusts are disabled	01:25
*** gokrokve has quit IRC		01:25
jamielennox	oh - that's v3	01:25
jamielennox	no change on v2	01:25
jamielennox	so yes it's getting ignored	01:25
*** gokrokve has joined #openstack-keystone		01:25
*** dims_ has quit IRC		01:26
*** dims_ has joined #openstack-keystone		01:26
jamielennox	ayoung: it's been a while since i've been through this code - but i don't see trust handling at all in the v2 path	01:26
ayoung	http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/controllers.py#n167	01:26
jamielennox	right but that's authenticate_token	01:28
*** rodrigods_ has joined #openstack-keystone		01:28
jamielennox	"""Try to authenticate using an already existing token.	01:28
ayoung	git.openstack.org/cgit/openstack/keystone/tree/keystone/token/controllers.py#n167/trust	01:28
ayoung	jamielennox, yeah, so the old token gets validated, and it issues a new token	01:28
*** gokrokve has quit IRC		01:30
openstackgerrit	A change was merged to openstack/keystone: Properly invalidate cache for get_*_by_name methods https://review.openstack.org/97082	01:32
*** marcoemorais has quit IRC		01:34
jamielennox	ok, that's a bit odd and we should have a warning or something in client	01:35
jamielennox	new problems now	01:36
*** dstanek_zzz is now known as dstanek		01:36
jamielennox	ayoung: ouch, ok that's a little bit broken	01:39
jamielennox	in v3 you specify just a trust_id and it figures stuff out for you	01:39
jamielennox	in v2 on the second request you need to specify the tenant that the trust is on	01:40
ayoung	or it just ignores it?	01:41
jamielennox	ayoung: so you have to do: http://paste.fedoraproject.org/110990/03142131/	01:42
jamielennox	else you get a None returned: https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L199	01:43
ayoung	'{"auth": {"token": {"id": "eecfa8d90c99444c878d552e37455b2d"}, "tenantName": "demo", "trust_id": "0b16de31a8c64fd5b0054054db468a00"}}'	01:43
jamielennox	if tenantId and tenantName are both None here: https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L330-L347 you get a None back	01:43
ayoung	that should probably be in the else block above	01:44
jamielennox	anyway it kind of answers my question, trustor_user_id and impersonation values are not available in the returned v2 token	01:46
*** CC has joined #openstack-keystone		01:47
*** CC has joined #openstack-keystone		01:47
ayoung	that is a bug	01:48
*** hrybacki has quit IRC		01:48
*** diegows has joined #openstack-keystone		01:49
*** CC has left #openstack-keystone		01:49
jamielennox	it returns trustee_user_id - but that's kind of useless because trustee_user_id == user_id	01:50
jamielennox	ok, want me to file that	01:52
morganfainberg	huh... wtf os x wont let me install passlib from pip now.	01:52
morganfainberg	ayoung, did you see https://bugs.launchpad.net/keystone/+bug/1331406 ?	01:53
ayoung	jamielennox, yes, please	01:53
uvirtbot	Launchpad bug 1331406 in horizon "can not login to Dashboard on devstack" [Critical,Confirmed]	01:53
morganfainberg	ayoung, before i dive in, making sure we're not duplicating work.	01:53
ayoung	check_for_test_cookie is deprecated; ensure your login view is CSRF-protected. ?	01:54
ayoung	ah PKIZ	01:54
morganfainberg	ayoung, aparantly this worked prior to PKIZ becomeing default	01:54
ayoung	nope, just saw it	01:54
morganfainberg	ayoung, ok i can take a look (still have the PKIZ debug devstack near ready)	01:54
* morganfainberg finishes running a test run for backport of the cache-invalidate code.		01:55
morganfainberg	i think i need to setup a local http cache for things like pypi	01:56
jamielennox	ayoung: https://bugs.launchpad.net/keystone/+bug/1331882	01:56
uvirtbot	Launchpad bug 1331882 in keystone "trustor_user_id not available in v2 trust token" [Undecided,New]	01:56
ayoung	morganfainberg, guessing they are doing something funny with the token	01:56
morganfainberg	ayoung, i'm sure it's something like that	01:56
* morganfainberg looks athow much a small home server will cost.		01:56
ayoung	build it yourself!	01:56
morganfainberg	ayoung, depends on if the corp discount brings it to < build it myself + pain and suffering :P	01:57
morganfainberg	ayoung, but i am looking on newegg right now for parts :P	01:57
ayoung	http://rwmj.wordpress.com/2014/04/17/caseless-virtualization-cluster-part-4/ morganfainberg	01:57
ayoung	http://rwmj.wordpress.com/2014/04/16/caseless-virtualization-cluster-part-2/	01:58
morganfainberg	interesting	01:58
ayoung	TOTAL PRICE OF CLUSTER £1300	01:58
dstanek	morganfainberg: small home server? you work in the cloud :-)	01:58
morganfainberg	dstanek, doesn't make pypi more reliable... or apt	01:59
morganfainberg	dstanek, something i can locally cache/sync that for would be useful (and i don't have a few TB of space in my laptop to do it)	01:59
*** gokrokve has joined #openstack-keystone		01:59
ayoung	morganfainberg, I just bought a $300 Dell system for family use. I suspect you would only need something like that	01:59
morganfainberg	ayoung, thats kindof my thought	01:59
morganfainberg	ayoung, going to look at the HP things i can buy.	02:00
ayoung	Oh, sure, be that way	02:00
* ayoung might try to funnel some machines through morganfainberg		02:00
morganfainberg	ayoung, :P	02:00
morganfainberg	ayoung, LOL	02:01
morganfainberg	yeah some silly low power processor with fast storage and decent nic. 4-8gb of ram. shouldn't be hard to spec out	02:01
morganfainberg	then the question is... Fedora or ubuntu	02:01
dstanek	Windows XP	02:02
ayoung	dstanek, Win8 these days	02:03
ayoung	http://www.amazon.com/gp/product/B00HWML468/ref=oh_details_o04_s00_i00?ie=UTF8&psc=1	02:03
*** praneshp has joined #openstack-keystone		02:04
ayoung	http://www.amazon.com/HP-EX485-MediaSmart-Home-Server/dp/B001OI2ZG4/ref=sr_1_2?s=electronics&ie=UTF8&qid=1403143457&sr=1-2&keywords=hp+home+server looks like a comparable, but not as sleek	02:04
ayoung	morganfainberg, the only thing I would make sure is that whatever CPU you get is 64bit with virtualization extensions.	02:05
ayoung	And that is most these days	02:05
*** praneshp_ has joined #openstack-keystone		02:07
morganfainberg	ayoung, yeah i was thinking looking for something w/ haswell	02:08
morganfainberg	ayoung, i think those all have xvir and are 64bit	02:08
*** rodrigods_ has quit IRC		02:09
bknudson	I got this little diskstation thing that's worked well	02:10
*** praneshp has quit IRC		02:10
*** praneshp_ is now known as praneshp		02:10
morganfainberg	bknudson, ah thats an idea.	02:10
bknudson	synology ds411slim	02:10
*** diegows has quit IRC		02:12
morganfainberg	ayoung, http://httpstatusdogs.com/	02:12
morganfainberg	i like HTP 444 the best of those	02:13
morganfainberg	though 420 is good	02:13
ayoung	++	02:14
*** leseb has joined #openstack-keystone		02:17
morganfainberg	ayoung, if you have a chance to +1 this https://review.openstack.org/#/c/95987/ [split repo] that would be great. or comment otherwise on it. since it was originally yours ;)	02:17
ayoung	morganfainberg, what are we doing about circular?	02:18
morganfainberg	ayoung, freeze the stuff in keystoneclient and all new work goes in middleware	02:19
morganfainberg	ayoung, no circular deps in keystone -> middleware	02:19
ayoung	morganfainberg, and we work splitbrain?	02:19
morganfainberg	ayoung, keystoneclient middleware is moved to security maintenance only	02:19
ayoung	OK	02:20
morganfainberg	ayoung, unless it's a security fix, no new code	02:20
ayoung	morganfainberg, is that in there?	02:20
morganfainberg	ayoung, yep	02:20
jamielennox	morganfainberg: this seems like the time to get rid of all those things we've tried to deprecate	02:20
ayoung	ah...see it now	02:20
ayoung	jamielennox, +++++	02:20
morganfainberg	jamielennox, that is something i'm totally game to do	02:20
jamielennox	morganfainberg: sweet	02:21
bknudson	it still needs to be backwards compatible	02:21
morganfainberg	bknudson, ++	02:21
morganfainberg	jamielennox, ^	02:21
ayoung	bknudson, to a degree, but all the internal auth_token functions should be hidden away	02:21
bknudson	should be able to switch from keystoneclient auth_token to middleware auth_token	02:21
jamielennox	bknudson: why?	02:21
jamielennox	bknudson: says who?	02:21
morganfainberg	but i tried to keep it as non-specific as possible to avoid concerns of internal mechanisms, as long as it provides the same output from the input i don't really care what it looks like	02:22
*** leseb has quit IRC		02:22
morganfainberg	jamielennox, same input should = same output to the underlying service	02:22
morganfainberg	jamielennox, but however the internal stuff works... is very up in the air.	02:22
bknudson	what are we proposing to remove?	02:22
jamielennox	morganfainberg: sure - but we can change for example the config opts	02:22
morganfainberg	jamielennox, absolutely.	02:22
bknudson	oh, the uri config	02:23
jamielennox	bknudson: that's an example	02:23
jamielennox	but there's a lot of cruft in there	02:23
morganfainberg	jamielennox, we might need some compat in there , but largely we should be able to mitigate some cruft	02:23
morganfainberg	jamielennox, s/some/a lot/	02:24
morganfainberg	there was a reason i specifed the initial release was going to be 1.0.0 of the middleware	02:25
openstackgerrit	Li Ma proposed a change to openstack/keystone: Fix the typo and reformat the comments for the added option https://review.openstack.org/98942	02:25
morganfainberg	ayoung, /me is not looking forward to running havana tests :(	02:29
ayoung	morganfainberg, for what?	02:29
morganfainberg	running master tests has spoiled me enough as is compared to even icehouse	02:29
ayoung	middleware should be Juno forward	02:30
morganfainberg	ayoung, backport of the get_by_name cache invalidation bug	02:30
ayoung	ah	02:30
ayoung	yeah...run_tests.sh for grizzly just now	02:30
morganfainberg	has to go back to H :(	02:30
morganfainberg	well.. should go back to H	02:30
ayoung	had to remember to do the ramdisk hack	02:30
morganfainberg	oh i need to check on tox stuffs see if we're moving to newer tox yet	02:30
morganfainberg	i want to make our run_tests 100% a wrapper for tox, but can't w/o removing the --fast-fail option	02:31
*** openstackgerrit_ has joined #openstack-keystone		02:35
ayoung	morganfainberg, OK, think I reproduced the bug	02:36
ayoung	https://bugs.launchpad.net/keystone/+bug/1331406	02:36
uvirtbot	Launchpad bug 1331406 in horizon "can not login to Dashboard on devstack" [Critical,Confirmed]	02:36
morganfainberg	ayoung, ah cool sorry was waiting for this test run to finish before resetting my devstack	02:37
ayoung	morganfainberg, devstack is still running, but horizon and glance are up	02:37
ayoung	I can get a token	02:37
ayoung	PKIZ_eJy1WEl3m8wS	02:37
ayoung	and I can glance image-list	02:37
ayoung	morganfainberg, maybe not...glance setup is still progressing, downloading images, so no nova yet. That might have been what failed...	02:40
*** nsquare has joined #openstack-keystone		02:41
ayoung	morganfainberg, wonder if it is a case of updateing keystone but not keystoneclient	02:41
ayoung	http://fhornain.wordpress.com/2014/06/18/red-hat-to-acquire-enovance-a-leader-in-openstack-integration-services/	02:42
ayoung	well well	02:42
ayoung	what do they do anyway?	02:42
morganfainberg	oh enovance	02:43
morganfainberg	cool.	02:43
morganfainberg	i think they're a competitor to like mirantis and metacloud, primairly focused on EU	02:44
morganfainberg	smart folks over there	02:44
ayoung	cool. does this mean I can stop looking at Ruby on rails code?	02:44
morganfainberg	LOL	02:45
morganfainberg	ask chmouel, i think he's from enovance	02:45
ayoung	Oooh, if we got him, it was probably worth the purchase price	02:46
morganfainberg	hmm... openstackgerrit poke	02:47
morganfainberg	ok whatever.	02:47
ayoung	yeah, we got him!	02:47
ayoung	are they a services company? Very little on their Pod thingy	02:48
morganfainberg	Enterprise Services / integration i think	02:50
*** yfujioka has quit IRC		02:50
ayoung	Yeah, even the Pod is a reference architecture...which sounds non-producty to me	02:50
morganfainberg	based on what i know, good accquisition	02:50
* ayoung still going to have to work with rails		02:50
ayoung	"For Red Hat, the acquisition kills two birds with one stone. First and foremost, bringing eNovance into the fold puts it in a better position to monetize OpenStack with a more comprehensive consultancy offering. And second, the deal buys it an expanded foothold in Europe, which has historically trailed behind the U.S. in technology adoption but is nonetheless witnessing rising interest in the cloud platform."	02:50
morganfainberg	ah well	02:50
morganfainberg	could be worse	02:50
ayoung	http://siliconangle.com/blog/2014/06/18/red-hat-continues-openstack-push-with-latest-acquisition/?angle=silicon	02:51
morganfainberg	the latter part i think is the big big win.	02:51
morganfainberg	you could perform the former in a number of ways	02:51
ayoung	taking a redicyouless amount of time to download the Fedora image. Only 204M...18 minutes to go	02:54
morganfainberg	ouch	02:55
morganfainberg	restacking to try this out btw as well.	02:55
morganfainberg	the bug ^	02:55
morganfainberg	had some cruft in my devstack	02:56
ayoung	eta 14m 9s	02:57
ayoung	let me take a look at the horizon auth code	02:58
*** ncoghlan has joined #openstack-keystone		02:58
morganfainberg	why so slow download?	02:58
*** nkinder_ has quit IRC		02:58
morganfainberg	that django auth thing	02:58
*** nkinder_ has joined #openstack-keystone		02:59
ayoung	question is what do they do with the token. Yeah, might be that external library	02:59
morganfainberg	well that was easy to duplicate	03:00
*** gokrokve has quit IRC		03:00
ayoung	jamielennox, want to make the world a better place? convert django_openstack_auth to using sessions	03:01
morganfainberg	ayoung, so... changing the provider to PKI made it work again	03:03
*** oomichi has quit IRC		03:03
ayoung	morganfainberg, yeah, no surprise...question is "why"	03:03
morganfainberg	i'll bet.. sec	03:04
jamielennox	ayoung: there is a problem with using sessions in keystoneclient that i haven't fixed yet that has kind of prevented me doing that	03:04
ayoung	I see that glance can handle the tokens, so it isn't just auth_token type stuff	03:04
ayoung	jamielennox, I need that for the Kerberos work. What is the problem and can Ihelp	03:04
jamielennox	ayoung: there are a couple of functions like changing your own password that call back to the client object to figure out the current user_id	03:06
jamielennox	when you use the session that value isn't updated	03:06
jamielennox	in the same way if you use a token directly there there is no value	03:06
ayoung	jamielennox, its in the token body. So same issue as morganfainberg is dealing with for tracking?	03:06
morganfainberg	ayoung, i think they are calling https://github.com/openstack/django_openstack_auth/blob/master/openstack_auth/utils.py#L83	03:06
morganfainberg	ayoung, and well it's not the keystoneclient "one"	03:07
morganfainberg	so no PKIZ allowed	03:07
ayoung	monkeys	03:07
ayoung	cowboys	03:07
jamielennox	ayoung: it's the reason for https://review.openstack.org/#/c/97681/3/keystoneclient/httpclient.py line 69	03:07
ayoung	billions of blue blistering barnacles	03:07
morganfainberg	ayoung, oh and they force a short-hash	03:08
jamielennox	nobody has noticed this yet - and i haven't filed it - but if it's used for horizon they will	03:08
morganfainberg	ayoung this would break if they used the configurable hash bknudson setup i think	03:08
ayoung	morganfainberg, maybe, but I think they just use it to stash in memcached and the session	03:08
morganfainberg	they explicitly hash to MD5	03:08
morganfainberg	ayoung, maybe	03:09
morganfainberg	ayoung, anyway...	03:09
morganfainberg	this is not a keystone bug it's a django_openstack_auth bug.	03:09
morganfainberg	ayoung, hmm.	03:10
morganfainberg	ayoung, maybe not /me keeps digging	03:10
ayoung	morganfainberg, looks like it	03:11
*** jcromer has quit IRC		03:14
ayoung	morganfainberg, good for me to get some work in on this, as I need to contributee the kerberos fix here eventually	03:14
morganfainberg	ayoung, ++ i'm still digging to see where exactly it's falling over	03:14
morganfainberg	but we're on the right path	03:14
morganfainberg	it makes a _lot_ of assumptions here	03:14
ayoung	morganfainberg, probably just that it is failing the "is asn1" tests an so not getting hashed	03:15
morganfainberg	maybe	03:16
ayoung	PKIZ != MII	03:16
morganfainberg	and i think i just confirmed this is going to fail if you hash with something other than MD5	03:16
ayoung	if utils.is_asn1_token(self.id):	03:16
ayoung	self.id = hashlib.md5(self.id).hexdigest()	03:17
morganfainberg	yeah and it passed that token_id through	03:17
ayoung	they hash to stick in memcached.	03:17
ayoung	that is not exposed outside of horizon	03:17
morganfainberg	hmm	03:17
*** leseb has joined #openstack-keystone		03:17
morganfainberg	is this failing to write to the session because the key is too big then?	03:19
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Add trust users to AccessInfo and fixture https://review.openstack.org/100733	03:19
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Revocation event API https://review.openstack.org/81166	03:19
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Add role ids to the AccessInfo https://review.openstack.org/100774	03:19
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Add issued handlers to auth_ref and fixtures https://review.openstack.org/100775	03:19
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Add OAuth data to AccessInfo https://review.openstack.org/100776	03:19
ayoung	morganfainberg, I've got a fix	03:20
jamielennox	ayoung: i just pushed revocation events to the end of that stack ^	03:22
morganfainberg	ayoung, yeah i just changed it to always hash the id. it worked.	03:23
morganfainberg	ayoung, ok i'm going to set this as invalid in keystone in LP.	03:23
*** leseb has quit IRC		03:23
ayoung	jamielennox, I am in your debt. I assume you can be paid off in alcohol?	03:23
jamielennox	ayoung: always	03:23
ayoung	I would say beer, but since next we meet in Paris...	03:23
ayoung	morganfainberg, needs to only hash if the id is longer than...some threshold	03:24
ayoung	maybe 64 chars?	03:24
morganfainberg	ayoung, uh, go with 32 to be safe	03:24
morganfainberg	if it isn't a uuid, hash	03:24
ayoung	morganfainberg, nah, its cookie length	03:24
morganfainberg	ayoung, ok	03:24
ayoung	I think they can be 4k, so 64 bytes should be OK as a cutoff. But, what do we want to do for a hashing algorithm?	03:25
ayoung	Should I modify that now, too?	03:25
ayoung	sha256?	03:26
ayoung	how long is that?	03:26
ayoung	256?	03:26
morganfainberg	sha256 is 64	03:26
morganfainberg	probably should use a "safe" hashing algo.	03:27
morganfainberg	ok marked as invalid against keystone, and tagged to django-openstack-auth project	03:27
*** rwsu has quit IRC		03:27
ayoung	sha256 it is	03:30
ayoung	if len(self.id) > 64:	03:30
ayoung	self.id = hashlib.sha256(self.id).hexdigest()	03:30
ayoung	morganfainberg, OK, so django_openstack_auth ... how do I submit a patch to that? Git hub pull request?	03:31
morganfainberg	looking	03:31
morganfainberg	ayoung, it has a .gitreview file	03:32
morganfainberg	looks like gerrit	03:32
*** dims_ has quit IRC		03:32
*** gokrokve has joined #openstack-keystone		03:33
*** zhiyan_ is now known as zhiyan		03:34
*** gokrokve_ has joined #openstack-keystone		03:36
*** gokrokve has quit IRC		03:39
*** gyee has quit IRC		03:41
ayoung	jamielennox, what is keystoneclient.access.AccessInfo.factory(	03:47
ayoung	and why is it producing a token	03:47
jamielennox	AccessInfo is the client abstraction between v2 and v3 tokens	03:47
jamielennox	factory just means check if it's v2 or v3 and create the appropriate object	03:47
morganfainberg	jamielennox, was told in -infra there might be some httpretty issues going on	03:49
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Only emit disable notifications for project/domain on disable https://review.openstack.org/99569	03:51
ayoung	morganfainberg, https://bugs.launchpad.net/keystone/+bug/1331406 patch attached...I'm headed to bed	03:52
uvirtbot	Launchpad bug 1331406 in horizon "can not login to Dashboard on devstack" [Critical,Confirmed]	03:52
morganfainberg	ayoung, sumitted to gerrit?	03:53
morganfainberg	ayoung, looks to be a gerrit review workflow	03:53
morganfainberg	ayoung, i can submit [obv. keep your name on it as author] if you're really off to bed	03:54
*** serverascode has quit IRC		03:59
*** stevemar has joined #openstack-keystone		03:59
*** ctracey has quit IRC		04:00
morganfainberg	ayoung, https://review.openstack.org/#/c/101089	04:02
*** serverascode has joined #openstack-keystone		04:02
*** ctracey has joined #openstack-keystone		04:03
*** jraim has quit IRC		04:05
*** jraim has joined #openstack-keystone		04:07
*** dtroyer_zz has quit IRC		04:12
*** dims_ has joined #openstack-keystone		04:16
*** leseb has joined #openstack-keystone		04:18
*** dims_ has quit IRC		04:20
*** leseb has quit IRC		04:24
*** dstanek is now known as dstanek_zzz		04:45
*** dims_ has joined #openstack-keystone		04:46
*** henrynash has joined #openstack-keystone		04:46
* morganfainberg should really go to bed...		04:47
*** dims_ has quit IRC		04:51
*** stevemar has quit IRC		04:53
*** xianghui^ has quit IRC		04:55
openstackgerrit	A change was merged to openstack/keystone: Fix the typo and reformat the comments for the added option https://review.openstack.org/98942	05:06
*** xianghui^ has joined #openstack-keystone		05:08
*** leseb has joined #openstack-keystone		05:19
*** leseb has quit IRC		05:23
*** ajayaa has joined #openstack-keystone		05:36
*** dims_ has joined #openstack-keystone		05:47
*** dims_ has quit IRC		05:51
*** harlowja is now known as harlowja_away		05:54
*** morganfainberg has quit IRC		05:57
*** morganfainberg has joined #openstack-keystone		05:58
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/97005	06:00
*** xianghui^ has quit IRC		06:04
*** pheadron has joined #openstack-keystone		06:05
*** xianghui^ has joined #openstack-keystone		06:17
*** pheadron has quit IRC		06:19
*** leseb has joined #openstack-keystone		06:20
*** andreaf has joined #openstack-keystone		06:22
*** leseb has quit IRC		06:24
*** henrynash has quit IRC		06:26
*** ncoghlan is now known as ncoghlan_afk		06:38
*** ncoghlan_afk is now known as ncoghlan		06:45
*** dims_ has joined #openstack-keystone		06:47
*** dims_ has quit IRC		06:52
*** marekd\|away is now known as marekd		06:55
*** leseb has joined #openstack-keystone		06:56
*** afazekas is now known as __afazekas		07:00
*** i159 has joined #openstack-keystone		07:02
*** andreaf has quit IRC		07:03
*** mhu has quit IRC		07:03
*** mhu has joined #openstack-keystone		07:03
*** gokrokve_ has quit IRC		07:05
*** BAKfr has joined #openstack-keystone		07:07
*** gokrokve has joined #openstack-keystone		07:15
*** ajc_ has joined #openstack-keystone		07:17
*** gokrokve has quit IRC		07:19
*** baffle_ has joined #openstack-keystone		07:24
openstackgerrit	Marek Denis proposed a change to openstack/python-keystoneclient: Scope unscoped saml2 tokens. https://review.openstack.org/99704	07:26
*** arunkant has quit IRC		07:27
*** baffle has quit IRC		07:27
*** arunkant has joined #openstack-keystone		07:29
*** gokrokve has joined #openstack-keystone		07:35
*** afazekas_ has joined #openstack-keystone		07:40
*** gokrokve has quit IRC		07:40
*** afazekas_ is now known as afazekas		07:42
openstackgerrit	Marek Denis proposed a change to openstack/python-keystoneclient: Rename v3._AuthConstructor to v3.AuthConstructor https://review.openstack.org/101127	07:46
*** dims_ has joined #openstack-keystone		07:48
*** dims_ has quit IRC		07:54
*** chandan_kumar has quit IRC		08:01
*** ncoghlan is now known as ncoghlan_afk		08:02
openstackgerrit	Marek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Federated Protocols. https://review.openstack.org/83829	08:10
*** gokrokve has joined #openstack-keystone		08:27
*** gokrokve has quit IRC		08:32
*** henrynash has joined #openstack-keystone		08:33
*** andreaf has joined #openstack-keystone		08:37
*** xianghui^ has quit IRC		08:45
*** dims_ has joined #openstack-keystone		08:51
*** dims_ has quit IRC		08:55
*** openstackgerrit has quit IRC		09:14
*** fmarco76 has joined #openstack-keystone		09:21
*** henrynash has quit IRC		09:25
*** xianghui^ has joined #openstack-keystone		09:28
*** gokrokve has joined #openstack-keystone		09:28
*** fmarco76 has quit IRC		09:32
*** gokrokve has quit IRC		09:33
*** dims_ has joined #openstack-keystone		09:52
*** oomichi has joined #openstack-keystone		09:54
*** dims_ has quit IRC		09:57
*** nsquare has quit IRC		09:57
*** praneshp has quit IRC		10:12
*** Ju_ has joined #openstack-keystone		10:24
*** leseb has quit IRC		10:25
*** gokrokve has joined #openstack-keystone		10:29
*** gokrokve_ has joined #openstack-keystone		10:31
*** gokrokve has quit IRC		10:33
*** gokrokve_ has quit IRC		10:35
*** ajayaa has quit IRC		10:51
*** dims_ has joined #openstack-keystone		10:52
*** zhiyan is now known as zhiyan_		10:57
*** dims_ has quit IRC		10:57
*** ajayaa has joined #openstack-keystone		11:09
*** leseb has joined #openstack-keystone		11:11
*** leseb has quit IRC		11:15
*** dims_ has joined #openstack-keystone		11:18
*** oomichi has quit IRC		11:20
*** lbragstad has quit IRC		11:23
*** leseb has joined #openstack-keystone		11:28
*** gokrokve has joined #openstack-keystone		11:32
*** RockKuo_Office has quit IRC		11:35
*** gokrokve has quit IRC		11:37
*** beav has quit IRC		11:49
*** ajc_ has quit IRC		11:50
*** ajc_ has joined #openstack-keystone		11:50
*** dims_ has quit IRC		11:54
*** ajc_ has quit IRC		11:55
*** hrybacki has joined #openstack-keystone		12:03
*** hrybacki has quit IRC		12:03
*** hrybacki has joined #openstack-keystone		12:04
*** juanmo has joined #openstack-keystone		12:07
*** afazekas_ has joined #openstack-keystone		12:08
*** afazekas has quit IRC		12:09
*** jamielennox is now known as jamielennox\|away		12:18
*** ayoung has quit IRC		12:20
*** wyllys has joined #openstack-keystone		12:26
*** gokrokve has joined #openstack-keystone		12:32
*** gokrokve has quit IRC		12:37
*** erecio has joined #openstack-keystone		12:44
*** henrynash has joined #openstack-keystone		12:44
*** andreaf has quit IRC		12:46
*** henrynash has quit IRC		12:46
*** ozialien has quit IRC		12:47
*** henrynash has joined #openstack-keystone		12:48
*** afazekas_ has quit IRC		12:58
ajayaa	Hi. How do I run unit tests in python-keystoneclient?	13:00
ajayaa	tox -epy27 keystoneclient.tests fails with "ERROR: py27: could not install deps"	13:02
*** gordc has joined #openstack-keystone		13:02
ajayaa	marekd,	13:03
marekd	ajayaa: hi	13:03
ajayaa	marekd, how are you running unit tests in python-keystoneclient	13:04
ajayaa	?	13:04
marekd	ajayaa: regarding your question try tox with -r switch	13:04
marekd	tox -re py27	13:04
marekd	it will try to reinstall the environment.	13:04
*** afazekas_ has joined #openstack-keystone		13:06
ajayaa	it fails with "IOError: [Errno 2] No such file or directory: '/home/aj/stack/python-keystoneclient/.tox/py27/build/httpretty/readme.rst'"	13:07
marekd	ajayaa: did you try -r ?	13:08
ajayaa	yes	13:08
ajayaa	same issue.	13:08
marekd	let me try locally.	13:08
marekd	after rebuilding the env i get the same error.	13:09
ajayaa	deleted .tox directory and tried. But same issue again	13:09
marekd	looks like probmen with httpretty version.	13:10
marekd	you can try using older version of httpretty	13:10
ajayaa	yep.	13:10
marekd	so edit requirements.txt file.	13:10
marekd	and file a bug if nobody hasn't already done that.	13:10
ajayaa	I think test-requirements.txt	13:10
ajayaa	:)	13:10
marekd	...yes one of those files.	13:11
*** richm has joined #openstack-keystone		13:20
*** andreaf has joined #openstack-keystone		13:24
*** joesavak has joined #openstack-keystone		13:26
marekd	ajayaa: let me know if older version of httpretty works.	13:29
*** gokrokve has joined #openstack-keystone		13:33
ajayaa	marekd: https://github.com/gabrielfalcao/HTTPretty/pull/175	13:36
*** Gippa has joined #openstack-keystone		13:37
ajayaa	marekd, https://github.com/gabrielfalcao/HTTPretty/pull/175	13:37
*** gokrokve has quit IRC		13:37
*** raildo has joined #openstack-keystone		13:39
*** d0ugal has quit IRC		13:39
*** d0ugal_ has joined #openstack-keystone		13:39
*** d0ugal_ is now known as d0ugal		13:40
marekd	ajayaa: thanks.	13:44
*** anteaya has quit IRC		13:51
*** anteaya has joined #openstack-keystone		13:53
*** zhiyan_ is now known as zhiyan		13:54
*** stevemar has joined #openstack-keystone		13:57
*** ayoung has joined #openstack-keystone		14:03
*** ajayaa has quit IRC		14:04
*** gokrokve has joined #openstack-keystone		14:04
*** amirosh has joined #openstack-keystone		14:10
*** dstanek_zzz is now known as dstanek		14:11
*** ajayaa has joined #openstack-keystone		14:16
*** topol has joined #openstack-keystone		14:19
*** Gippa has quit IRC		14:24
*** bklei has joined #openstack-keystone		14:27
nkinder_	morganfainberg: is there a review for adding a tracking id to tokens yet?	14:29
*** dstanek is now known as dstanek_zzz		14:30
*** rwsu has joined #openstack-keystone		14:34
*** dstanek_zzz is now known as dstanek		14:35
*** dims has joined #openstack-keystone		14:37
*** ajayaa has quit IRC		14:43
*** afazekas_ has quit IRC		14:50
*** dstanek is now known as dstanek_zzz		14:52
morganfainberg	nkinder_, there is not	14:55
nkinder_	morganfainberg: ok, I'm not blind then :)	14:55
morganfainberg	nkinder_, nope,just the initial ksc work to redact / add the tracking id	14:55
*** ajayaa has joined #openstack-keystone		14:56
nkinder_	morganfainberg: yeah, I saw that one	14:57
morganfainberg	nkinder_, the rough part is that it'll need to be a new keystoneclient release to get that out there in either case.	14:58
morganfainberg	and there are some other change that should likely go in as well redacting other information, jamielennox\|away has more specifics.	14:58
*** dtroyer has joined #openstack-keystone		14:59
*** joesavak has quit IRC		15:01
*** jsavak has joined #openstack-keystone		15:01
*** david-lyle has joined #openstack-keystone		15:02
*** david-lyle has quit IRC		15:03
*** david-lyle has joined #openstack-keystone		15:04
*** ajayaa has quit IRC		15:05
stevemar	marekd, ping	15:10
marekd	stevemar: hey there.	15:10
boris-42	morganfainberg hi there	15:10
marekd	i think i might have fixed the ports problem...	15:10
morganfainberg	boris-42, hello!	15:10
stevemar	marekd, so about this non standard port	15:10
boris-42	morganfainberg one question keystone v2 is deprecateted?	15:10
stevemar	marekd, oh?	15:10
boris-42	morganfainberg I mean everybody should switch to v3 ?	15:10
morganfainberg	boris-42, V2 is not deprecated.	15:11
marekd	stevemar: iam stuck at the meeting and was almost done on my other machine just beforehand	15:11
boris-42	morganfainberg oh so	15:11
morganfainberg	boris-42, we do want everyone on v3	15:11
marekd	let me get back to the office, try it out again and then i will reply you.	15:11
hrybacki	Are all of the tempest tests for keystone contained within .../tempest/api/identity ?	15:11
boris-42	morganfainberg so I mean it's hard in rally to support both without nasty code	15:11
morganfainberg	boris-42, but until everyone can support V3 we can't deprecate v2	15:11
stevemar	marekd, ok :)	15:11
morganfainberg	boris-42, V3 is where any/all new development goes	15:11
marekd	stevemar: we had a openstack summit summary here, so others can also feel the spirit :-)	15:12
boris-42	morganfainberg yep	15:12
morganfainberg	boris-42, and everyone should be moving to V3 if at all possible.	15:12
boris-42	morganfainberg so it soft deprecation	15:12
morganfainberg	yeah, the official stance is v2 will not receive any updates unless it's for V2 -> V3 interop/migration support	15:12
morganfainberg	s/official/as official as we can make it/	15:13
boris-42	morganfainberg ok thanks for help	15:13
morganfainberg	boris-42, sure thing	15:13
morganfainberg	boris-42, also soon apache gate! very soon, i can taste it	15:13
stevemar	marekd, I like this new intern news!	15:13
marekd	stevemar: ah yeah...	15:13
stevemar	marekd, TEST ALL THE IDPS	15:14
marekd	stevemar: sth like that...	15:14
boris-42	morganfainberg nice!!	15:14
boris-42	morganfainberg I hope to see better graph!=)	15:14
marekd	stevemar: i don't see any other way than seting them up ;/	15:14
marekd	stevemar: let's see how it all works when he is here....	15:15
morganfainberg	boris-42, yeah the only thing that doesn't _really_ work at the moment is the grenade upgrade	15:15
marekd	BTW are we still failing all python-keystoneclient tests due to httpretty bug?	15:16
morganfainberg	boris-42, but if you wanted to check out the graph yourself, you could use https://review.openstack.org/#/c/100747/	15:16
morganfainberg	marekd, not sure where we stand on that.	15:16
morganfainberg	looks like it	15:17
boris-42	morganfainberg so apache will be in default gate?	15:17
morganfainberg	this is an upstream httpretty (new version) issue	15:17
marekd	morganfainberg: :( is rollbacking to the older version works as a local workaround?	15:17
boris-42	morganfainberg great so we won't need to change anything	15:17
morganfainberg	boris-42, yes.	15:17
boris-42	in rally job for keystone	15:17
boris-42	and we will be able to compare instantly before/after=)	15:18
morganfainberg	marekd, yeah that should work locally, going to go poke global requirments i think today unless jamielennox\|away is doing something else.	15:18
morganfainberg	boris-42, yep.	15:18
marekd	morganfainberg: thanks.	15:18
morganfainberg	in face https://review.openstack.org/#/c/101214/	15:19
morganfainberg	fact*	15:19
*** ajayaa has joined #openstack-keystone		15:22
*** Gippa has joined #openstack-keystone		15:28
*** ajayaa has quit IRC		15:31
*** Ju_ has quit IRC		15:36
*** amirosh has quit IRC		15:38
*** Gippa has quit IRC		15:42
*** nsquare has joined #openstack-keystone		15:45
*** lbragstad has joined #openstack-keystone		15:48
marekd	stevemar: ok, replied with configs.	15:53
marekd	stevemar: let me know if it works, ok?	15:53
*** ncoghlan_afk is now known as ncoghlan		15:59
*** joesavak has joined #openstack-keystone		16:01
*** wyllys has quit IRC		16:01
*** jsavak has quit IRC		16:03
marekd	dstanek_zzz: something you asked for: https://review.openstack.org/#/c/101127/	16:03
marekd	jamielennox\|away: ^^ you may want to take a look as well.	16:04
*** david-lyle has quit IRC		16:04
*** marcoemorais has joined #openstack-keystone		16:06
*** BAKfr has quit IRC		16:06
*** david-lyle has joined #openstack-keystone		16:07
*** packet has joined #openstack-keystone		16:09
*** ncoghlan is now known as ncoghlan_afk		16:09
stevemar	marekd, thx dude	16:18
*** __afazekas is now known as afazekas		16:22
*** wyllys has joined #openstack-keystone		16:33
*** amirosh has joined #openstack-keystone		16:45
*** gokrokve has quit IRC		16:49
*** nsquare has quit IRC		16:49
*** gyee has joined #openstack-keystone		16:51
*** joesavak has quit IRC		16:53
*** zhiyan is now known as zhiyan_		16:54
*** KanagarajM has joined #openstack-keystone		16:57
*** hrybacki_ has joined #openstack-keystone		17:03
*** KanagarajM has quit IRC		17:03
*** david-lyle has quit IRC		17:03
*** david-lyle has joined #openstack-keystone		17:05
*** harlowja_away is now known as harlowja		17:05
*** hrybacki has quit IRC		17:06
*** rodrigods_ has joined #openstack-keystone		17:07
*** hrybacki_ has quit IRC		17:07
*** amirosh has quit IRC		17:11
*** nsquare has joined #openstack-keystone		17:14
*** richm has quit IRC		17:15
*** amirosh has joined #openstack-keystone		17:15
*** gokrokve has joined #openstack-keystone		17:18
*** amirosh has quit IRC		17:19
*** i159 has quit IRC		17:21
*** hrybacki has joined #openstack-keystone		17:22
*** amirosh has joined #openstack-keystone		17:23
*** gordc has quit IRC		17:29
*** praneshp has joined #openstack-keystone		17:30
*** richm has joined #openstack-keystone		17:32
*** KanagarajM has joined #openstack-keystone		17:32
*** thedodd has joined #openstack-keystone		17:35
*** richm has quit IRC		17:36
*** richm has joined #openstack-keystone		17:38
*** KanagarajM has quit IRC		17:51
*** rodrigods_ has quit IRC		17:55
*** gordc has joined #openstack-keystone		17:56
*** doddstack has joined #openstack-keystone		17:59
*** thedodd has quit IRC		18:00
*** andreaf_ has joined #openstack-keystone		18:05
ayoung	gyee, morganfainberg, dstanek_zzz https://review.openstack.org/#/c/95989/ can we get that one through please? Lot of work queued up behind it	18:08
*** david-lyle has quit IRC		18:08
*** lbragstad has quit IRC		18:08
*** dims has quit IRC		18:08
*** bklei has quit IRC		18:08
*** rodrigods has quit IRC		18:08
*** amerine has quit IRC		18:08
*** gokrokve has quit IRC		18:08
*** gyee has quit IRC		18:08
*** andreaf has quit IRC		18:08
*** tellesnobrega has quit IRC		18:08
*** jdennis has quit IRC		18:08
*** rushiagr has quit IRC		18:08
*** hrybacki has quit IRC		18:08
*** marcoemorais has quit IRC		18:08
*** mhu has quit IRC		18:08
*** harlowja has quit IRC		18:08
*** mgagne has quit IRC		18:08
*** dolphm has quit IRC		18:08
*** zigo has quit IRC		18:08
*** Ephur has quit IRC		18:08
*** zhiyan_ has quit IRC		18:08
*** chmouel has quit IRC		18:08
*** shufflebot has quit IRC		18:08
*** uvirtbot has quit IRC		18:08
*** rodrigods_ has joined #openstack-keystone		18:10
*** hrybacki has joined #openstack-keystone		18:10
*** gokrokve has joined #openstack-keystone		18:10
*** david-lyle has joined #openstack-keystone		18:10
*** gyee has joined #openstack-keystone		18:10
*** marcoemorais has joined #openstack-keystone		18:10
*** lbragstad has joined #openstack-keystone		18:10
*** dims has joined #openstack-keystone		18:10
*** bklei has joined #openstack-keystone		18:10
*** mhu has joined #openstack-keystone		18:10
*** rodrigods has joined #openstack-keystone		18:10
*** Ephur has joined #openstack-keystone		18:10
*** tellesnobrega has joined #openstack-keystone		18:10
*** amerine has joined #openstack-keystone		18:10
*** harlowja has joined #openstack-keystone		18:10
*** mgagne has joined #openstack-keystone		18:10
*** jdennis has joined #openstack-keystone		18:10
*** rushiagr has joined #openstack-keystone		18:10
*** dolphm has joined #openstack-keystone		18:10
*** uvirtbot has joined #openstack-keystone		18:10
*** chmouel has joined #openstack-keystone		18:10
*** shufflebot has joined #openstack-keystone		18:10
*** zigo has joined #openstack-keystone		18:10
*** zhiyan_ has joined #openstack-keystone		18:10
*** dickson.freenode.net sets mode: +o dolphm		18:10
*** jraim has quit IRC		18:12
*** jraim has joined #openstack-keystone		18:12
*** jraim has quit IRC		18:12
*** jraim has joined #openstack-keystone		18:12
*** gyee has quit IRC		18:12
*** joesavak has joined #openstack-keystone		18:13
*** thiagop has joined #openstack-keystone		18:13
*** david-lyle has quit IRC		18:14
*** lbragstad has quit IRC		18:14
*** dims has quit IRC		18:14
*** bklei has quit IRC		18:14
*** rodrigods has quit IRC		18:14
*** amerine has quit IRC		18:14
*** rodrigods_ has quit IRC		18:14
*** gokrokve has quit IRC		18:14
*** tellesnobrega has quit IRC		18:14
*** jdennis has quit IRC		18:14
*** rushiagr has quit IRC		18:14
*** hrybacki has quit IRC		18:14
*** marcoemorais has quit IRC		18:14
*** mhu has quit IRC		18:14
*** harlowja has quit IRC		18:14
*** mgagne has quit IRC		18:14
*** dolphm has quit IRC		18:14
*** zigo has quit IRC		18:14
*** Ephur has quit IRC		18:14
*** zhiyan_ has quit IRC		18:14
*** chmouel has quit IRC		18:14
*** shufflebot has quit IRC		18:14
*** uvirtbot has quit IRC		18:14
*** rodrigods_ has joined #openstack-keystone		18:16
*** hrybacki has joined #openstack-keystone		18:16
*** gokrokve has joined #openstack-keystone		18:16
*** david-lyle has joined #openstack-keystone		18:16
*** marcoemorais has joined #openstack-keystone		18:16
*** lbragstad has joined #openstack-keystone		18:16
*** dims has joined #openstack-keystone		18:16
*** bklei has joined #openstack-keystone		18:16
*** mhu has joined #openstack-keystone		18:16
*** rodrigods has joined #openstack-keystone		18:16
*** Ephur has joined #openstack-keystone		18:16
*** tellesnobrega has joined #openstack-keystone		18:16
*** amerine has joined #openstack-keystone		18:16
*** harlowja has joined #openstack-keystone		18:16
*** mgagne has joined #openstack-keystone		18:16
*** jdennis has joined #openstack-keystone		18:16
*** rushiagr has joined #openstack-keystone		18:16
*** dolphm has joined #openstack-keystone		18:16
*** uvirtbot has joined #openstack-keystone		18:16
*** chmouel has joined #openstack-keystone		18:16
*** shufflebot has joined #openstack-keystone		18:16
*** zigo has joined #openstack-keystone		18:16
*** zhiyan_ has joined #openstack-keystone		18:16
*** dickson.freenode.net sets mode: +o dolphm		18:16
*** wyllys has left #openstack-keystone		18:16
*** rodrigods_ has quit IRC		18:25
bknudson	is there a bug for httpretty issue?	18:25
*** leseb has quit IRC		18:29
*** leseb has joined #openstack-keystone		18:29
morganfainberg	bknudson, uhmm.	18:33
*** dims has quit IRC		18:33
morganfainberg	not sure	18:33
*** rodrigods has quit IRC		18:33
*** amerine has quit IRC		18:33
*** bklei has quit IRC		18:33
*** rodrigods has joined #openstack-keystone		18:33
*** dims has joined #openstack-keystone		18:33
lbragstad	bknudson: not seeing anything come up in search	18:33
*** bklei has joined #openstack-keystone		18:33
*** amerine has joined #openstack-keystone		18:33
morganfainberg	bknudson, https://review.openstack.org/#/c/101214/ is the fix to global reqs	18:34
bknudson	keytoneclient is blocked by it	18:34
*** leseb has quit IRC		18:34
*** browne has joined #openstack-keystone		18:35
ayoung	stevemar, thanks	18:39
dolphm	bknudson: yes	18:39
ayoung	gyee ducked out... morganfainberg can you please pull the trigger on https://review.openstack.org/#/c/95989/	18:40
ayoung	I promise you a handful of code reviews in exchange ...shameless horse trader that I am	18:40
bknudson	https://bugs.launchpad.net/openstack-ci/+bug/1332266	18:40
uvirtbot	Launchpad bug 1332266 in openstack-ci "httpretty 0.8.1 fails to install, causing job failure" [Undecided,New]	18:40
morganfainberg	ayoung, just got back from coffee and was following up on the django one first.	18:41
ayoung	ah, yeah that is higher priority	18:41
morganfainberg	ayoung, yeah i can look at that one now.	18:41
stevemar	bknudson, it took me waaaaay too long to figure out how to add a test for hacking	18:43
bknudson	stevemar: it's magic	18:44
stevemar	bknudson, it's super magic, straight up voodoo	18:44
morganfainberg	ayoung minor nit, why did the build_external_auth_request move?	18:46
morganfainberg	ayoung, just wierd diff magic?	18:46
morganfainberg	ayoung, https://review.openstack.org/#/c/95989/8/keystone/tests/test_v3.py looks like it shouldn't have moved.	18:46
*** dstanek_zzz is now known as dstanek		18:46
ayoung	morganfainberg, I think I had removed it and then added it back in.	18:47
ayoung	I can reorder that...clean up the patch	18:47
morganfainberg	ok nah	18:47
morganfainberg	just was making sure i wasn't missing something	18:47
*** amirosh has quit IRC		18:49
ayoung	morganfainberg, It is probably worth reposting. Here is the cleaned up version http://paste.fedoraproject.org/111259/20379414/	18:50
morganfainberg	ayoung, ok.	18:50
morganfainberg	ayoung, if you wish to repost, please do :)	18:50
ayoung	morganfainberg, pep8 check, and then new version	18:51
morganfainberg	ayoung, ++	18:51
morganfainberg	otherwise LGTM	18:51
ayoung	stevemar, can I carry your +2 forward? All I did was move the test function back to where it was origianlly	18:52
ayoung	https://review.openstack.org/#/c/95989/8..9/keystone/tests/test_v3.py,cm	18:53
morganfainberg	ayoung, ah that looks better actually	18:54
*** david-lyle has quit IRC		18:54
stevemar	ayoung, still looks good	18:54
dstanek	marekd: i have a few more questions when you are around	18:55
marekd	dstanek: ok, so i can be around :-)	18:55
ayoung	OK...lets let it pass gate and I am willing to +a it myself with your blessings	18:55
dstanek	marekd: nice!	18:55
marekd	i am guessing it's my plugin, right?	18:56
dstanek	marekd: https://review.openstack.org/#/c/83829 - and the mapping in the docstring	18:56
dstanek	what actually calls the methods on the protocol instance?	18:56
dstanek	i'm wondering if mapping can just be added to the method signatures so that it is more obvious	18:57
marekd	when you add the protocol	18:57
marekd	you should send mapping_id in the request body.	18:58
marekd	dstanek: ^^	18:58
marekd	and AFAIR kwargs represents what you are going to send...	18:58
marekd	so when you call the method you want to add mapping_id as parameter, but it should go to kwargs.	18:58
dstanek	why in kwargs?	18:59
marekd	because later you take kwargs, and basically pass this dict as a request body.	18:59
morganfainberg	ayoung, ok last question, do we have a test now where REMOTE_USER is set but the external plugin isn;t loaded (and KRB one isn't either)?	18:59
ayoung	morganfainberg, yes	19:00
marekd	dstanek: HTTP request body.	19:00
ayoung	ah...no	19:00
ayoung	that might already exist, for disable	19:00
bknudson	you can run tox -e cover to see what's covered by tests	19:00
morganfainberg	ayoung, yeah that was what i was looking for	19:00
bknudson	or not covered	19:00
morganfainberg	ayoung, if we do have it, great, if not, it's something we should have to make sure we get the right response.	19:00
*** ekarlso has quit IRC		19:01
ayoung	morganfainberg, sure	19:01
dstanek	marekd: is there anything in kwargs besides that id?	19:01
marekd	and when PUT/PATCH API call looks like : https://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3-os-federation-ext.md#update-the-attribute-mapping-for-an-identity-provider-and-protocol-combination-patch-os-federationidentity_providersidp_idprotocolsprotocol_id	19:01
ayoung	morganfainberg, I think it would be in test_auth if it was anywhere	19:01
morganfainberg	ayoung, test_v3auth right?	19:01
marekd	dstanek: heh, that's the whole thing :-)	19:01
marekd	dstanek: which i don't really like .	19:02
marekd	dstanek: many methods/something in the middle also use kwargs as a parameters aggregator and simply pop params.	19:02
ayoung	morganfainberg, maybe, or just test_auth	19:02
marekd	dstanek: but i think the most competent person here about that is jamielennox\|away	19:02
*** diegows has joined #openstack-keystone		19:02
marekd	;/	19:03
ayoung	it existing in V2 as well	19:03
morganfainberg	isn't test_auth v2?	19:03
morganfainberg	right but this change affects only v3 and plugins	19:03
morganfainberg	you're doing a pass vs a raised exception with REMOTE_USER looking up external plugin now	19:03
morganfainberg	your change has no bearing on v2 in that regard.	19:04
dstanek	marekd: ok, i'm going to looks at this a little more - we used kwargs in so many places :-(	19:04
* morganfainberg isn't seeing that test.		19:04
ayoung	morganfainberg, nah, V2 was different, didn't need the method names	19:04
marekd	dstanek: in my patch?	19:04
morganfainberg	exactly	19:04
*** ekarlso has joined #openstack-keystone		19:04
dstanek	marekd: no in general	19:04
ayoung	so...yeah, would be test_v3_auth only	19:05
*** juanmo1 has joined #openstack-keystone		19:05
marekd	dstanek: ah yes, it caused me a lot of headaches ;/	19:05
dstanek	marekd: i like kwargs for situations where you don't know what will be passed in because you're wrapping and will just pass through	19:05
*** juanmo has quit IRC		19:05
marekd	dstanek: understood,	19:05
dstanek	marekd: i'd rather let Python do it's thing as much as possible in making sure required things are passed through	19:06
morganfainberg	ayoung, if you make it an add-on patch to this one i can approve this one	19:06
marekd	dstanek: but here it looks like: "i don't know whats inside, and i can hope the method in the middle will take away everything that shouldn't be there"	19:06
ayoung	morganfainberg, ++	19:06
morganfainberg	ayoung, but i'd like to see that test in the queue before we approve this	19:06
ayoung	morganfainberg, fair enough	19:07
dstanek	marekd: but you're trying to document what you expect in the kwargs, which to me implies that you know - and kwargs is just a shortcut	19:07
dstanek	ayoung: in https://review.openstack.org/#/c/95989/7/keystone/auth/controllers.py your comment confuses me - why would that env var trigger the exception	19:09
*** wyllys has joined #openstack-keystone		19:09
ayoung	morganfainberg, don't ack that patch...I think it might be broken	19:11
morganfainberg	ayoung, k.	19:11
wyllys	has anyone looked into the issues with the user-create operation with an AD LDAP backend?	19:13
ayoung	morganfainberg, It might not be any worse than things are now, but if REMOTE_USER is set, and external is not, I think it will give out an unscoped token	19:13
ayoung	wyllys, can't use subtree and do it	19:13
wyllys	why?	19:13
ayoung	where would you put the newly created user? Which subtree?	19:13
wyllys	cn=Users	19:14
marekd	dstanek: look what's the convention here: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/base.py#L309	19:14
wyllys	perhaps not a subtree	19:14
bknudson	I'm surprised that anyone using AD would want to create users with keystone	19:14
marekd	dstanek: and later how functions like _build_url look like	19:14
ayoung	bknudson, they are running tests	19:14
bknudson	doesn't AD have tools to create uses?	19:14
wyllys	sure AD does.	19:14
ayoung	and those test s create temporary users	19:14
wyllys	but its conceivable to use an openstack front end UI to manage basic user operations	19:15
wyllys	code as of today seems broken in that area.	19:16
wyllys	tries to create users with no password but with userAccountStatus of 512 (NORMAL), AD wont allow that.	19:16
wyllys	also, keystone sends SHA hash of password, when it should be unicode utf16le encoded and let AD handle the hashing (“unicodePwd” attribute).	19:17
nkinder_	wyllys: most people seriously using AD don't want to create users outside of their normal AD provisioning process	19:17
nkinder_	wyllys: keystone does have CRUD operations for users, but the main use case for them is when the SQL backend is used (there are exceptions to this of course)	19:18
wyllys	probly so. i fell down this rabbithole a couple of days ago and thgis is where i ended up.	19:18
nkinder_	wyllys: it's a hole best avoided :)	19:18
wyllys	too late:)	19:18
ayoung	wyllys, it works with OpenLDAP, too	19:19
wyllys	openldap has slightly different schema, i think.	19:19
nkinder_	wyllys: you start to push knowledge of all of your required LDAP schema into keystone at that point, and it gets ugly	19:19
wyllys	uglie-ER	19:19
wyllys	lol	19:19
nkinder_	wyllys: more than slightly different	19:19
ayoung	I know people have gotten it to work, but I have not actually touched AD myself.	19:19
*** nsquare has quit IRC		19:19
ayoung	I'm allergic to AD. I have a Doctor's note saying I'm not allowed.	19:19
wyllys	i got managed to get everything else working - roles can be added/deleted. user can be deleted OK, too.	19:20
wyllys	main issue is initial user creation and password changes.	19:20
nkinder_	wyllys: keystone should be sending the clear password to any LDAP server when you attempt to set a new password (not a hash)	19:20
wyllys	nkinder_: yes	19:21
wyllys	it should but its not	19:21
nkinder_	wyllys: what version of Keystone are you using?	19:21
wyllys	2014.1.1	19:21
nkinder_	wyllys: I ripped out some LDAP hashing code in Keystone a little while back...	19:21
*** nsquare has joined #openstack-keystone		19:21
morganfainberg	ayoung, that doctor's note looks a lot like the "notes" you get here in california for "medical" use of stuff (not that I'd know, I don't do that)	19:21
wyllys	for AD it should send unicode - base64.b64encode(unicode("\"AnExamplePassword1!\"").encode('utf-16-le'))	19:21
nkinder_	wyllys: https://bugs.launchpad.net/keystone/+bug/1308793	19:22
uvirtbot	Launchpad bug 1308793 in keystone "Remove LDAP password hashing code" [Medium,Fix released]	19:22
nkinder_	nkinder_: looks like that's only for Juno	19:22
ayoung	morganfainberg, here is a picture of my Doctor http://37.media.tumblr.com/Ml35wy8Lxn6u5mt4YOUSCZlbo1_250.jpg	19:22
nkinder_	boy, I'm talkin gto myself already...	19:23
wyllys	If user create and password stuff is not going to be fixed for AD, then it should at least be documented.	19:23
nkinder_	wyllys: well, it could be proposed for a backport	19:23
nkinder_	IMHO, it is broken	19:24
wyllys	imho also.	19:24
nkinder_	that said, there is more work needed for AD passwords since they use unicodePassword vs userpassword like normal LDAP servers	19:24
wyllys	i think i could make it work, though, but its not clear that its valuable to anyone since its an odd use case.	19:24
wyllys	right	19:24
ayoung	morganfainberg, OK, so the problem pre-exists	19:25
ayoung	and the question is, if there is a REMOTE_USER but nothing to handle it, why does the authenticate call not fail	19:25
nkinder_	wyllys: even with my fix, we would just treat unicodePassword like userPassword and send the plain password across	19:25
wyllys	nkinder_ it needs to be unicode/UTF-le-16 encoded for AD.	19:26
morganfainberg	dolphm, jamielennox\|away, topol, stevemar, dstanek, gyee, did we want to pyush for the middleware split this week? or should i wait for next week and re-ask?	19:26
nkinder_	wyllys: oh, I know. It won't work otherwise	19:26
wyllys	right	19:26
nkinder_	wyllys: I've had to deal with that before working on 389 DS	19:26
wyllys	that’d probably require another config option so the ldap code would know how to handle it.	19:26
topol	o/ whats up?	19:26
ayoung	morganfainberg, check me on this http://paste.fedoraproject.org/111276/40320595/ fails with raise mismatch_error	19:27
ayoung	MismatchError: <bound method Auth.authenticate of <keystone.auth.controllers.Auth object at 0x43ec410>> returned None	19:27
ayoung	that is against master	19:27
ayoung	ah, wait	19:28
ayoung	I wonder if the config is not getting wiped	19:28
*** nsquare has quit IRC		19:28
ayoung	yeah, the AUTH_METHODS collection is already populated	19:29
ayoung	probaly by the setup	19:29
morganfainberg	topol, dolphm, etc oh nvm we merged the spec	19:29
morganfainberg	cool, i'll get that split ready for tomorrow's infra review	19:30
topol	yay, any specs pressing for a review or can I go back to reviewing keystone patches?	19:30
stevemar	topol, review keystone2keystone... if you are brave enough	19:30
stevemar	or the middleware one, that one is cool too	19:30
marekd	stevemar: lol	19:30
topol	has dolphm noticed its takes a longtime to get blueprints in compared to the previous model? I saw dims when I was in Boston and we were chatting about that	19:31
marekd	stevemar: btw did the port 5000 work?	19:31
morganfainberg	topol, well we also are just getting our footing for this spec process	19:32
stevemar	marekd, i'm trying it out now... gave the latest SP metadata to our IdP guy	19:32
morganfainberg	topol, i think K will be easier (especially since we can pre-load the BPs)	19:32
topol	morganfainberg, I agree and understand	19:32
topol	morganfainberg how does pre-load help?	19:33
marekd	stevemar: sure.	19:33
dstanek	stevemar: did they update the k2k based on the IRC meetings?	19:33
marekd	dstanek: nope :/	19:33
*** leseb has joined #openstack-keystone		19:33
dstanek	bummer...	19:34
morganfainberg	topol, before we hit the summit we can have specs laoded for review	19:34
morganfainberg	before even we hit the start of K1	19:34
marekd	btw, how regions work today?	19:35
marekd	how much they separate?	19:35
morganfainberg	more time to work on them less pressure to get them in / moving so we hit our other deadlines	19:35
dolphm	topol: we're certainly raising the bar, but otherwise i agree with morganfainberg	19:35
marekd	can vms easily communicate between them?	19:35
dolphm	marekd: the definition of a region is up to the deployer, so there's no hard answer	19:36
topol	dolphm, morganfainberg, can we reduce the detail so it doesnt make us too waterfall-ish? and we remain more agile?	19:36
marekd	dolphm: ok. Cause i think in the k2k bp there might be a number of questions how to make things like networking transparent...	19:36
dolphm	topol: that's an interesting thought - what in the template demands too much detail?	19:37
joesavak	+1	19:37
morganfainberg	topol, interesting, i'd like to see how some smaller BPs (not so wide sweeping) look before we gut too much of it	19:37
* morganfainberg has to go to lunch		19:38
morganfainberg	be back shortly	19:38
joesavak	they are all things we need to think about - but iterating on the spec and knowing when it's enough to start to code is important	19:38
marekd	joesavak: +1	19:38
morganfainberg	joesavak, ++	19:38
marekd	joesavak: but i think we are still missing the main, high level architecture.	19:38
*** leseb has quit IRC		19:38
dolphm	joesavak: you can start writing code as early as you want, as long as you acknowledge you might have to throw away that work early if there's a change in direction of the spec	19:38
joesavak	marekd - for k2k going the bursting region route, i agree. it needs tweaks.	19:38
marekd	dolphm: ++	19:39
joesavak	gotcha dolphm	19:39
stevemar	marekd, did you need to add the <LocationMatch /v3/OS-FEDERATION/websso> location?	19:39
topol	morganfainberg, dolphm, so on my BP, what the CADF looks like I would like to iterate on with stakeholders. So if someone asks for it in detailed that makes me waterfall	19:39
marekd	stevemar: oh, no :(( remove it.	19:40
stevemar	j	19:40
stevemar	k	19:40
joesavak	l	19:40
joesavak	m	19:40
dolphm	topol: link?	19:40
stevemar	n	19:40
marekd	this was my test and forked patch for our internal hck.	19:40
*** hrybacki has quit IRC		19:40
dolphm	o?	19:40
*** hrybacki has joined #openstack-keystone		19:40
joesavak	ohhhh.	19:40
topol	dolphm, its the one that already merged. People didnt push me on it but they could have	19:40
*** hrybacki has quit IRC		19:41
stevemar	topol, shhhh, dont say that too loud	19:41
dolphm	topol: when i'm reading the specs, the two biggest things i care about are "why" (the use case), and the impact. the details of how should be left for the code IMO	19:41
*** hrybacki has joined #openstack-keystone		19:41
topol	dolphm, ++++	19:41
dolphm	and the biggest benefit i've seen of specs so far is forcing everyone to think about the impact early on	19:42
topol	dolphm, so perhaps that should be placed at the top of the template so folks don't go overboard asking for more	19:42
bknudson	get rid of the sections we don't care about	19:42
topol	bknudson +++	19:42
topol	you all smelling my cooking	19:42
marekd	joesavak: that said, i sometimes start to think that "100% transparency for the user" in the k2k is not always the best idea :P Suppose they want to run some scalable software and expect machines to communicate excessively. I am not sure we can work on every issue to make two clouds at some point work like one hybrid one. Am I fearing correctly?	19:43
dolphm	bknudson: like what?	19:43
*** rodrigods has quit IRC		19:43
dolphm	bknudson: topol: ooh, let me propose a change of wording	19:43
bknudson	dolphm: if we only care about the use case and the impact then can remove the other sections	19:44
dolphm	bknudson: almost the entire thing is already impact	19:44
bknudson	e.g., Implementation and Testing	19:44
joesavak	marekd - 100% transparency is possible, 50% transparency is possible. 0% transparency is posisble - all depending on how the identity provider & service provider trusts are setup	19:44
dolphm	bknudson: implementation is just assignees and work items - both of those are useful to me, at least	19:45
bknudson	"Here is where you cover the change you propose to make in detail." -- so it's expecting details of the implementation	19:45
dolphm	bknudson: more so near a milestone when i need to know if a bp is completed	19:45
marekd	joesavak: the thing is i am starting to talk about networking for instance.	19:45
dolphm	bknudson: that's what i'm tweaking now	19:45
marekd	joesavak: suppose we have 100% transparency from the authn&authz level.	19:45
joesavak	marekd - identity federation is the first step to increasing the transparency level - seeing that 2 different "openstack networks" or "openstack cells" across different service providers don't talk the same klingon	19:46
*** hrybacki has quit IRC		19:46
joesavak	knowing is 1/2 the battle. (GI Joe), and identity federation allows us to know what blockers in other services there are to providing seamless k2k, n2n, s2s, and other openstack-initial 2 openstack-initial federation	19:47
marekd	joesavak: baby steps baby steps...right?	19:47
joesavak	yup	19:47
marekd	joesavak: so i am in :-)	19:47
joesavak	score.	19:48
dolphm	topol: bknudson: morganfainberg: https://review.openstack.org/#/c/101304/	19:49
henrynash	morganfainberg, dolphm, dstanek, ayoung: so question on making the hash algorithm configurable for the multi-baclen uuids…..a) do we want to make it configurable at all (default should be sha256), b) if it is configurable, are we thinking config param to select from a few support values (e.g. sha1, sha224, sha256) or to provide a pluggable backend where providers could substitute their own	19:50
henrynash	?	19:51
*** leseb has joined #openstack-keystone		19:51
ayoung	henrynash, yeah, we want configurable, in case sha256 is broken at some point	19:52
ayoung	of course, if you change it, then all of the backend data is now trash	19:53
henrynash	ayoung: and configurable so we have a pluggable hash provider backend or just a choice of built in values?	19:53
henrynash	ayoung: (agreed)	19:53
ayoung	henrynash, well, if it is a provider, then we can swap out hash for something else in the future	19:53
ayoung	but that might be overkill	19:54
ayoung	then again, you can never have too much overkill	19:54
henrynash	ayoung: that’s my dileman……so it overkill….I’m also wary of locking in high secuirty hask algorithms in case there are limitatins of exports etc..	19:54
*** juanmo has joined #openstack-keystone		19:55
ayoung	henrynash, plugin means a code change. Hash means a config change. RIght?	19:55
*** juanmo1 has quit IRC		19:56
henrynash	ayoung: I;m thinking we could have a hash driver, where we provide sha256 (and maybe sha1) but someone could provide a shaxxx driver if they wanted	19:56
ayoung	henrynash, best of both worlds?	19:56
*** leseb has quit IRC		19:56
henrynash	ayoungL it would be a super simple driver….receieva dict ad hash all teh contents	19:56
ayoung	shaxxx sounds like something naughty	19:57
dolphm	topol: bknudson: morganfainberg: and some additional clarity on what i think the problem description should convey https://review.openstack.org/#/c/101307/	19:57
henrynash	ayoung: the dark net?	19:57
*** nsquare has joined #openstack-keystone		19:57
*** gyee has joined #openstack-keystone		20:00
dstanek	ayoung, henrynash: what is being hashed that we fear the hashing algorithm being broken?	20:03
henrynash	ayoung, dolphm, morganfainberg, dtsanek: new version of multi-backend uuid spec: https://review.openstack.org/#/c/100497/ and new version of pre-cursor move of ID generation from controller to manager: https://review.openstack.org/#/c/100833/	20:03
ayoung	dstanek, the userid is produced as the hash of the components	20:04
ayoung	if you change the algo, you can't reporduce the userids	20:04
henrynash	dstanek: I agree that it is debatable whether the output of the hash should be considered “sensitive data"	20:04
dstanek	ayoung: right, but why are we worried about the security of the hashing algorithm? are we hashing something that is secret?	20:05
*** marcoemorais has quit IRC		20:05
dstanek	henrynash: it can't be sensitive if it's an ID right?	20:05
ayoung	henrynash, this is not rational. It is based on compliance rules, which are just applied across the board	20:05
dstanek	by definition we'll hand that out	20:05
*** marcoemorais has joined #openstack-keystone		20:05
henrynash	dstanek: so the wording in the updated spec….for most installations it really is just about chosing an algorithm that has minimal collision risk for the number of bytes we have available	20:06
dolphm	dstanek: henrynash: technically you could theoretically force a collision and compromise someone's identity	20:06
dstanek	dolphm: what is compromised? they shouldn't be able to use the account without creds and we shouldn't allow dup IDs	20:08
dolphm	dstanek: well we're doing it for groups too, right?	20:09
bknudson	I think you can put a user id in a policy file, in which case they'd be getting their permissions	20:09
henrynash	dstanek, dolphml I’m trying to think of case when the security aspect is the issue…I can imagine that possibly being true for the default domain (since the ID of that domain is the same in all clouds), but for other domains since we are hashing in a uuid domain_id, I can’t really see how anyone can deduce much	20:09
henrynash	dolphm: true	20:09
dstanek	dolphm: not sure about groups - i'll have to chew on that	20:10
*** david-lyle has joined #openstack-keystone		20:10
dstanek	bknudson: even if you put a userid in the policy how will the attacker claim that are that user?	20:10
dstanek	the can't get a token with that id because they don't have the creds	20:11
bknudson	they'd have to get their mapping in the table first	20:11
dstanek	bknudson: if we don't allow dups then they couldn't	20:12
dstanek	and i don't think we can allow dups because that means that a collision is a compromise	20:12
bknudson	I don't think we allow dups since the user ID would be the primary key	20:12
bknudson	isn't the map user ID -> domain ID + domain user ID	20:13
henrynash	I guess ayoung’s point is that we’ve all seen teh directives that say “stop using hasing algorithm XYZ it’s been shown to be insecure”…and if we don;t have a way of chaning it (even though our use is not so much abou secuirty) we could cause people to have issues with supporting OpenStack	20:13
dstanek	i'm not sure about groups though	20:13
dstanek	henrynash: that's when the hashing related to security - storing password, transmitting signatures, etc. - nobody is complaining that we are using uuid for ids	20:16
*** arun_kant has joined #openstack-keystone		20:16
dstanek	i'm not saying that we shouldn't make it configurable only that we need to make sure the security impact is accurate	20:16
henrynash	dstanek: agreed	20:17
dstanek	for example, if it is configurable we need to explain what attacks are possible	20:17
*** jgriffith has joined #openstack-keystone		20:18
jgriffith	Anybody able to help me understand why I suddenly can't access any API's on my OpenStack system that's been running for a year?	20:19
jgriffith	Suddenly getting "authorizaton failed" for any of the services	20:19
henrynash	dtsanek: off to think abou that….	20:20
bknudson	jgriffith: did a certificate expire?	20:21
jgriffith	bknudson: possibly... this isn't my system	20:21
jgriffith	and there's a couple hundred tokens in the DB	20:21
jgriffith	a number of them expired	20:21
jgriffith	bknudson: given I can access keystone xxxx with my creds the token expire makes sense	20:22
jgriffith	how do I fix that :)	20:22
bknudson	jgriffith: I wasn't thinking a token had expired, but maybe keystone's PKI certificate.	20:23
*** wyllys has quit IRC		20:23
jgriffith	Oh...	20:23
jgriffith	hmm...	20:23
jgriffith	hints on how/what to check?	20:23
bknudson	jgriffith: do you have access to the logs? although with the poor logging we do I'm not sure it would help	20:24
jgriffith	bknudson: I do have access	20:25
jgriffith	yes	20:25
jgriffith	bknudson: lemme turn on debug logging and try again	20:25
jgriffith	see if anything good shows up	20:25
*** marcoemorais has quit IRC		20:26
*** marcoemorais has joined #openstack-keystone		20:26
*** wyllys has joined #openstack-keystone		20:28
jgriffith	hmm... that certainly dumps info to logs	20:28
*** topol has quit IRC		20:35
jgriffith	bknudson: I'm at a bit of a loss... anything inparticular I can look for in the logs?	20:46
bknudson	jgriffith: are there complaints from openssl about certificate expiratin?	20:46
jgriffith	checking	20:46
*** erecio has quit IRC		20:47
bknudson	these would be in nova or whatever service you're accessing	20:47
jgriffith	bknudson: that's what's weird... nothing much in nova-api log	20:47
jgriffith	http://pastebin.com/AwEhEQYz	20:48
bknudson	jgriffith: I'd think it was weird, too, but we really do a poor job of logging	20:48
jgriffith	hehe.. I have a new appreciation for our users	20:48
jgriffith	I should've worked from home today :)	20:49
*** ncoghlan_afk is now known as ncoghlan		20:51
jgriffith	bknudson: according to the team that owns this system they did nothing	20:51
jgriffith	bknudson: so the expired cert theory makes sense	20:51
jgriffith	bknudson: how would I go about updating/fixing that	20:52
*** packet has quit IRC		20:52
bknudson	jgriffith: the pki certs are generated with keystone-manage pki_setup	20:52
*** leseb has joined #openstack-keystone		20:52
bknudson	jgriffith: then you'll want to get rid of the certs that are cached by the auth_token middleware	20:52
bknudson	jgriffith: hmm, looks like by default the certificate valid days is 10 years	20:54
bknudson	so maybe that's not it	20:55
jgriffith	bknudson: I just ran certificates/signing	20:55
jgriffith	says valid til today	20:55
jgriffith	so taht seems to be our issue	20:55
jgriffith	http://pastebin.com/FU7GvcpM	20:56
*** leseb has quit IRC		20:57
*** praneshp has quit IRC		20:58
dolphm	stevemar: you missed the other one ;) https://review.openstack.org/#/c/101307/	20:58
bknudson	maybe the default changed or they ran some commands themselves to generate it	20:58
*** juanmo has quit IRC		20:59
jgriffith	bknudson: maybe.. but this is "old" setup	20:59
jgriffith	bknudson: Grizzly	20:59
*** wyllys has quit IRC		20:59
stevemar	dolphm, d'oh!	20:59
jgriffith	My initial response was "this is a great time to upgrade" :)	20:59
stevemar	dolphm, approved, awesome sauce	21:00
ayoung	jgriffith, use a real CA, and real certs, and not pki/ssl setup, if you have access to one	21:00
bknudson	jgriffith: grizzly is out of support so there's no security updates	21:00
bknudson	unless you're paying someone to backport	21:00
jgriffith	bknudson: they pay me for the Cinder stuff :)	21:01
*** ncoghlan is now known as ncoghlan_afk		21:01
jgriffith	ayoung: so can I just regenerate/update whatever they had before easily? IE they can get by for another year ;)	21:02
*** praneshp has joined #openstack-keystone		21:02
ayoung	jgriffith, I think the quote is "if you are not part of the solution, there is big money in prolonging the problem"	21:03
dolphm	stevemar: danke!	21:03
jgriffith	ayoung: LMAO	21:03
* dolphm is MIA tomorrow, see everyone monday		21:03
jgriffith	ayoung: problem is it's "my employer" so I'm not "really" making money on it :)	21:03
jgriffith	ie SolidFire internal OpenStack cluster	21:03
jgriffith	I convinced the automation team to dump vmware a couple years ago and go openstack	21:04
ayoung	jgriffith, I think quote now is doubly valid	21:04
jgriffith	ooops :)	21:04
jgriffith	karma sucks	21:04
jgriffith	LOL.. good point	21:04
ayoung	nah...good call	21:04
bknudson	dolphm: enjoy your time off	21:04
* jgriffith goes to ask boss for a raise		21:04
jgriffith	ayoung: bknudson this look like the right idea?	21:05
jgriffith	http://www.blackmesh.com/blog/openstack-refusing-authentication-psh	21:05
bknudson	jgriffith: tell them that everyone else is deploying from master	21:05
jgriffith	bknudson: ha!	21:05
ayoung	stevemar, morganfainberg so...assuming that I've knocked out the pep8 issues, and it passes gate, are you guys good with https://review.openstack.org/#/c/95989/ and the new test https://review.openstack.org/#/c/101302/4 ?	21:05
jgriffith	bknudson: funny, I was just talkign to someone last night about how I don't hear that so much anymore	21:05
jgriffith	although personally I like it	21:06
dstanek	question for all ya guys: is it worth the effort to make this more technically accurate using AST instead of string matching https://review.openstack.org/93013	21:07
dstanek	i've actually already done most of the work, but not that I see this i'm wondering if i should finish or just let this slide through	21:07
bknudson	jgriffith: maybe valid_days was broken in grizzly... there were a bunch of changes to the openssl code at one point	21:07
jgriffith	bknudson: so long ago who can remember	21:08
jgriffith	I cringe when people ask about Havana :)	21:08
ayoung	jgriffith, so you know what you need to do?	21:08
stevemar	ayoung, likely would be good with it	21:09
bknudson	or maybe valid_days is still broken. should check it	21:09
ayoung	stevemar, can you ACK the test patch	21:09
ayoung	stevemar, the Kerberos method name one is only a rebase, so no real change	21:09
jgriffith	ayoung: I'm going to try and follow that blog post I found	21:10
jgriffith	see how it goes	21:10
jgriffith	how bad could it end up :)	21:10
ayoung	jgriffith, my blog?	21:10
bknudson	jgriffith: oh, that's not your blog... I thought it might be	21:10
ayoung	you need to regen the certs on Keystone first, and then wipe out the files in the remote servers, and they should get refetched	21:10
jgriffith	ayoung: I used yours to verify it was hosed	21:10
jgriffith	ayoung: yeah... working that now	21:11
bknudson	jgriffith: I wouldn't suggest "just replace their copies of the appropriate files" -- should be able to delete the files and auth_token will fetch them again	21:11
jgriffith	ayoung: bknudson thanks to both of you!	21:11
*** joesavak has quit IRC		21:11
ayoung	yeah what bknudson said is right	21:11
ayoung	regenerate the files on keystone, then test one server at a time	21:11
bknudson	jgriffith: e.g., these guys: /var/lib/cinder/cacert.pem , just remove them	21:11
ayoung	I'd recommend starting with glance image-list	21:11
ayoung	and cinder list	21:12
jgriffith	ok.. thos are all removed	21:12
ayoung	and the like, make sure all of the services work with the new certs	21:12
ayoung	jgriffith, well, they were removed. If you remved them before you regenerated the certs, and someone else hit the server, they were refechced	21:12
ayoung	refetched	21:12
jgriffith	they're lib/CA/xxxx	21:12
jgriffith	ahhhh	21:13
*** praneshp has quit IRC		21:13
*** jimbaker has quit IRC		21:21
*** david-lyle has quit IRC		21:23
*** dims has quit IRC		21:23
*** morganfainberg is now known as morganfainberg_Z		21:24
*** dims has joined #openstack-keystone		21:24
*** praneshp has joined #openstack-keystone		21:27
*** jamielennox\|away is now known as jamielennox		21:29
bklei	jamielennox any chance you could take another peek at https://review.openstack.org/#/c/92390?	21:30
jamielennox	bklei: sure - will do	21:31
bklei	gracias!	21:31
*** openstackgerrit has joined #openstack-keystone		21:34
*** topol has joined #openstack-keystone		21:47
*** bklei has quit IRC		21:48
*** david-lyle has joined #openstack-keystone		21:50
*** leseb has joined #openstack-keystone		21:53
*** leseb has quit IRC		21:55
*** leseb has joined #openstack-keystone		21:55
*** morganfainberg_Z is now known as morganfainberg		21:55
*** dims has quit IRC		21:58
*** leseb has quit IRC		21:59
*** topol has quit IRC		22:01
jgriffith	ayoung: bknudson sorry to keep bugging :(	22:01
jgriffith	ayoung: bknudson any pointers on this: http://paste.openstack.org/show/84538/	22:01
ayoung	looking	22:02
jgriffith	do I need to nuke everything in that dir before running?	22:02
ayoung	jgriffith, permissions?	22:02
*** lbragstad has quit IRC		22:02
jgriffith	shouldnt think so... I'm root	22:02
ayoung	who owns /etc/keystone/ssl and subdirs	22:02
*** oomichi has joined #openstack-keystone		22:02
jgriffith	keystone is owner	22:03
ayoung	failed to update database	22:03
ayoung	TXT_DB error number 2	22:03
ayoung	let me see...	22:03
jgriffith	ayoung: ohhh...	22:04
jgriffith	ayoung: so, my new signing_cert that gets generated though is root/root	22:04
jgriffith	ayoung: you think it get's unhappy because of the mismatch there?	22:04
ayoung	jgriffith, is it the pki_setup that is failing, or keystone run afterwards?	22:05
bknudson	I think there's an option to pki_setup for the user ID	22:05
jgriffith	pki_setup	22:05
ayoung	you are supposed to add a special flag if it is run as root	22:05
jgriffith	Oh?	22:05
ayoung	but that might not have been there in grizzly	22:05
*** dims has joined #openstack-keystone		22:06
jgriffith	hmm... well heck	22:06
*** jimbaker has joined #openstack-keystone		22:09
jgriffith	ayoung: looking at the code the keystone/cli seems to pass keystone_user_id and group ot openssl.configure	22:10
ayoung	jgriffith, hang on, solving other probklem elsewhere	22:10
jgriffith	no worries	22:10
*** henrynash has quit IRC		22:12
*** henrynash has joined #openstack-keystone		22:15
*** nsquare has quit IRC		22:19
openstackgerrit	henry-nash proposed a change to openstack/keystone-specs: Always use a hash based Public ID for cross backend identifiers https://review.openstack.org/100497	22:22
*** henrynash has quit IRC		22:23
ayoung	morganfainberg, is it practical to break this in Horizon?	22:24
morganfainberg	ayoung, horizon needs to use the ids as given by keystone	22:24
morganfainberg	i have no idea how to get there from here	22:24
ayoung	morganfainberg, its going to break your logging the tracking ids too	22:25
morganfainberg	yep	22:25
ayoung	is there truely no session data in Horizon?	22:25
morganfainberg	as david lyle?	22:25
morganfainberg	ask*&	22:25
morganfainberg	#openstack-horizon	22:26
*** andreaf_ has quit IRC		22:26
bknudson	horizon has session data	22:27
bknudson	it's provided by django	22:27
bknudson	I think there's an ossn about it	22:27
bknudson	https://review.openstack.org/#/c/99420/	22:28
jgriffith	ayoung: bknudson so I hacked some things up and can now run pki_setup, but the expiration date is still the "old" date?	22:29
jgriffith	is there something else that feeding that in?	22:30
jgriffith	suppose I could just change the date on the systems :)	22:30
jgriffith	ha!	22:33
ayoung	jgriffith, hmmmm	22:33
jgriffith	ayoung: figured it out	22:34
jgriffith	ayoung: at least generating things	22:34
ayoung	whew. thought I was going to have to start looking at Grizzly code	22:34
jgriffith	now to get them in place and hope it all works	22:34
jgriffith	:)	22:34
jgriffith	So I just hacked the keystone/common/openssl a bit to do what I want	22:34
*** openstackgerrit has quit IRC		22:34
jgriffith	or what i think I want :)	22:34
jgriffith	so in theory, just shutdown services, load the new cert.pem in each one and go	22:35
*** 20WAAHXAJ has joined #openstack-keystone		22:36
*** doddstack has quit IRC		22:37
bknudson	red hat ci is a tough cookie! http://people.redhat.com/~iwienand/101347/	22:37
ayoung	bknudson, I see nothing in that log that says what failed.	22:40
bknudson	one of them says "Cannot open: http://dl.fedoraproject.org/pub/epel/beta/7/x86_64/epel-release-7-0.1.noarch.rpm. Skipping."	22:41
bknudson	one says "[ERROR] /home/stack/devstack/functions-common:599 git call failed: [git clone git://git.openstack.org/openstack/cinder.git /opt/stack/cinder]"	22:41
bknudson	fatal: Unable to look up git.openstack.org (port 9418) (Temporary failure in name resolution)	22:42
bknudson	so maybe a dns prob	22:42
ayoung	morganfainberg, I just realized that, even with PKIZ, we don't have the tokens small enough to fit in a cookie. But...if they only stored unscoped tokens, they should be small enough	22:43
ayoung	session cookies again	22:43
morganfainberg	ayoung, sigh	22:43
ayoung	morganfainberg, No, not sigh. This is good	22:43
ayoung	this is the reason to do it	22:43
morganfainberg	no that it's an issue at all	22:43
morganfainberg	session tokens = good	22:43
morganfainberg	but this being an issue at all is annoying	22:44
ayoung	morganfainberg, I am pretty sure the Horizon guys did what they did on my suggestion back when I implemented PKI tokens.	22:44
ayoung	It was the only way to work around the limitations back then.	22:44
ayoung	anyway...headed home, and I'm a think about session tokens when I get there	22:44
morganfainberg	k	22:45
*** hrybacki has joined #openstack-keystone		22:48
*** ayoung has quit IRC		22:49
*** openstack has joined #openstack-keystone		22:50
morganfainberg	jamielennox, ping have a question	22:59
morganfainberg	jamielennox, 2014-06-19 22:23:29.001 6918 WARNING keystoneclient.middleware.auth_token [-] Configuring admin URI using auth fragments. This is deprecated, use 'identity_uri' instead.	22:59
morganfainberg	jamielennox, this is the unversioned endpoint stuff, right?	23:00
*** nsquare has joined #openstack-keystone		23:01
morganfainberg	jamielennox, nvm got it	23:02
dstanek	morganfainberg: first impressions? http://dpaste.com/1RTPWBT	23:06
morganfainberg	dstanek, looking	23:09
morganfainberg	dstanek, at a glance it seems kinda straightforward	23:10
*** gordc has quit IRC		23:10
morganfainberg	dstanek, can look at it more in depth a bit later middle of trying to split/re-merge all the repos/tress for middleware split	23:11
jgriffith	bknudson: I've got everything working again except Nova	23:11
jgriffith	any ideas what I may have missed?	23:11
dstanek	i have to comment on it a little more and clean out the duplication, but it's the code i wrote to detect LOG.debug(_(	23:11
jgriffith	ie is there anything special for Nova?	23:11
dstanek	morganfainberg: no need to go into detail, but why you have time think about that vs. https://review.openstack.org/#/c/93013/9/keystone/hacking/checks.py	23:12
dstanek	s/why/when/	23:12
morganfainberg	dstanek, ++ will do	23:12
*** hrybacki has quit IRC		23:13
morganfainberg	dstanek, btw, ouchy brain hurts from using git subtree split	23:13
morganfainberg	and then remerging into a completely separate tree	23:13
*** hrybacki has joined #openstack-keystone		23:13
jamielennox	morganfainberg: no, it's just auth_host, auth_port, auth_protocol -> identity_uri	23:14
morganfainberg	jamielennox, yeah i saw that. am elbow deep in get repo split/merge/split/remergeing	23:14
morganfainberg	jamielennox, my brain didn't put 2 and 2 together till i looked at the code	23:15
dstanek	morganfainberg: haha, been there and never want to do it again	23:16
morganfainberg	dstanek, i've gotten most of the middleware and tests shuffled around, keeping all history - i might opt to lose the history on the keystone middleware tests vs the ksc middleware tests.	23:18
hrybacki	Do each of the components have people that actually work on documentation or is that a sort of pipe dream?	23:19
jgriffith	morganfainberg: ping	23:22
morganfainberg	jgriffith, pong	23:22
jgriffith	morganfainberg: so our ssl cert expired today :(	23:22
jgriffith	I've managed to generate a new one and get all the services back up except nova	23:22
jgriffith	It just occured tome...	23:23
morganfainberg	jgriffith, oh icky :( ssl no fun	23:23
jgriffith	I'll need to update certs on every single nova node won't I?	23:23
jgriffith	I mean, sure it's just a copy over, but that sucks	23:23
jgriffith	especially since I don't really know all of the nodes :(	23:23
morganfainberg	jgriffith, that sounds correct	23:23
morganfainberg	jgriffith, =/	23:23
jgriffith	or is there a different way to do this that I don't know	23:24
jgriffith	boooo... morganfainberg	23:24
morganfainberg	jgriffith, wait this for token validation?	23:24
jgriffith	I was hoping you'd say... Oh no, just use this tool :)	23:24
jgriffith	nah.. my ssl cert expired this am	23:24
morganfainberg	jgriffith, i .. think the middleware will download the cert from keystone on restart	23:24
jgriffith	Oh?	23:24
jgriffith	just reboot all the compute nodes?	23:24
morganfainberg	jgriffith, for token validation signing cert	23:24
jgriffith	Ohhh... caveat!	23:25
dstanek	hrybacki: what do you mean by components?	23:25
jgriffith	I'm on grizzly	23:25
morganfainberg	jgriffith, hhhhmm	23:25
jgriffith	morganfainberg: yes, toek validation signing cert	23:25
morganfainberg	jgriffith, what version of keystoneclient ?	23:25
morganfainberg	jgriffith, because the middleware comes from there (well newer versions) not from keystone itself	23:25
jgriffith	morganfainberg: hmm.. good question	23:25
morganfainberg	jgriffith, not sure when we converted that over	23:25
jgriffith	why don't we have "keystone/cinder/... --version"	23:25
morganfainberg	jgriffith, oh but os-simple-cert.	23:26
*** hrybacki has quit IRC		23:26
morganfainberg	uh. you might need to copy the certs out	23:26
morganfainberg	even w/ all the magic logic.	23:26
jgriffith	crumbs	23:26
jgriffith	I thought that might be the case	23:26
morganfainberg	jgriffith, i uh haven't looked at grizzly code in a while /me is embarassed not to have a better answer	23:26
jgriffith	morganfainberg: don't be... it's grizzly code :)	23:27
morganfainberg	2 questions: are you sourcing the middleware from keystoneclient or keystone?	23:27
jgriffith	I appreciate the help	23:27
jgriffith	morganfainberg: ok... until today I had never looked at keystone	23:27
morganfainberg	jgriffith, lol no worries	23:27
jgriffith	so.... I am embarassed to say I probably don't know what you're asking :)	23:27
jgriffith	I did: keystone-manage pki_setup	23:27
morganfainberg	jgriffith, in the nova-api paste, does it load auth_token_middleware form keystone.middleware or keystoneclient.middleware	23:28
jgriffith	copied the new cert files to /var/lib/cinder\|quantum\|nova	23:28
morganfainberg	the safest bet is likey copying the certs in place (at least that way you're sure).	23:28
jgriffith	paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory	23:28
morganfainberg	ok so that is good	23:29
morganfainberg	let me look at keystone grizzly for a sec	23:29
*** hrybacki has joined #openstack-keystone		23:29
jgriffith	morganfainberg: awesome	23:29
jgriffith	I'll start writing a script to copy this out to 25 nodes :)	23:29
*** 20WAAHXAJ has quit IRC		23:29
jgriffith	just incase	23:29
morganfainberg	jgriffith, ok so, i don't see the simple_cert contrib in grizzly	23:30
*** dstanek is now known as dstanek_404		23:30
morganfainberg	jgriffith, i would recommend copy the cert out	23:30
jgriffith	whahwahwahwahhhhhh	23:30
morganfainberg	dstanek_404, wouldn't dstanek_410 be more appropriate	23:31
jgriffith	morganfainberg: okie-dokie	23:31
jgriffith	morganfainberg: thanks for the help	23:31
*** openstackgerrit has joined #openstack-keystone		23:31
jgriffith	all of you today... appreciate it	23:31
morganfainberg	jgriffith, sure thing	23:31
*** ayoung has joined #openstack-keystone		23:34
dstanek_404	morganfainberg: 410 implies for good....are you looking into a crystal ball and seeing my future?	23:34
dstanek_404	morganfainberg: this is making me not want to get into that car	23:34
morganfainberg	dstanek_404, well i mean "NotFound" vs "Gone" strictly speaking, i still found you	23:35
dstanek_404	lol, be back later	23:35
morganfainberg	dstanek_404, cheers	23:35
ayoung	morganfainberg, I'm in dad mode, but I think the solution is that we need to set up caching in Horizon. I suspect Dogpile is the right solution. So, for devstack, they get a kvs cache	23:35
ayoung	and with that...I'm in	23:35
*** ayoung is now known as ayoung_DadMode		23:35
morganfainberg	ayoung, see ya in a bit man	23:35
*** leseb has joined #openstack-keystone		23:36
*** arun_kant has quit IRC		23:37
*** hrybacki has quit IRC		23:39
*** leseb has quit IRC		23:41
*** hrybacki has joined #openstack-keystone		23:47
*** amerine has quit IRC		23:50
*** daneyon has joined #openstack-keystone		23:52
*** daneyon has quit IRC		23:52
*** daneyon has joined #openstack-keystone		23:53
jgriffith	morganfainberg: sighh... that didn't work	23:55
morganfainberg	jgriffith, :( it didn't?	23:55
jgriffith	morganfainberg: nope, I'm rather confused	23:55
jgriffith	morganfainberg: my nova-api log has: 2014-06-19 17:50:41.788 20888 INFO nova.osapi_compute.wsgi.server [-] 172.26.75.32 "GET /v2/1551a3b25f624b9baa1efcf44790a422/servers/detail HTTP/1.1" status: 401 len: 464 time: 0.9414210	23:55
morganfainberg	jgriffith, after copying... you might need to restart the nova-api?	23:55
*** david-lyle has quit IRC		23:56
jgriffith	morganfainberg: yeah, I did that assuming I hit all of them	23:56
morganfainberg	i don't think it loads the cert on each request... or.. huh maybe it does with popen	23:56
jgriffith	Unless there's something else causing the 401?	23:56
morganfainberg	where is auth_token looking for the cert for nova? i assume you got it in the right place (don't doubt your script, but sometimes it's a typo ro something)	23:57
jgriffith	morganfainberg: fair :)	23:57
jgriffith	I dumped it to /var/lib/nova/CA/	23:57
morganfainberg	the [auth_token] or [keystone_auth_token] section of the config (i forget which) will say it's looking someplace specific	23:58
morganfainberg	usually	23:58
jgriffith	morganfainberg: sighh... I hope they're not all different or I might cry :)	23:58
jgriffith	cluster-ssh to the rescue	23:58
morganfainberg	jgriffith, i hope so too!	23:58
*** dims has quit IRC		23:58
morganfainberg	crying = bad	23:58
jgriffith	LOL	23:59
jgriffith	hmm.. which conf file?	23:59
jgriffith	I don't see those (grizzly)	23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!