Monday, 2014-06-23

« Sunday, 2014-06-22 Index Tuesday, 2014-06-24 »
*** jamielennox|away has joined #openstack-keystone00:05
*** stevemar has quit IRC00:14
*** jamielennox|away is now known as jamielennox00:26
jamielennoxhrybacki: here?00:28
hrybackijamielennox++00:29
jamielennoxi just realized i was an idiot and it's sunday.. but that never seems to matter00:29
hrybackihaha, yeah most of the core names never seem to get off this channel00:29
jamielennoxthey aren't always here, but more often that not i guess00:30
jamielennoxso what do you want to know about sessions?00:30
hrybackiWell, I was wondering what about certain components make them more difficult to integrate00:31
hrybackiIs it solely how many points of contact they have with keystone?00:31
hrybackiI'm still building my mental blueprints of OpenStack00:31
jamielennoxno, it's not really related to keystone at all in terms of converting clients, it's more about what client specific ways they communicate00:32
jamielennoxso for example glance and i assume cinder that do large file transfers do chunking00:32
hrybackinods00:32
jamielennoxthat's something i know the session could handle but i haven't tried it00:32
jamielennoxdifferent clients do different things with SSL certs00:33
jamielennoxby default requests has a list i think of standard CA certs, the OS package of requests should override that with the system CA certs00:33
hrybackiokay00:34
jamielennoxmy bad, requests by defaults ships with nothing and then you are supposed to use certifi or something for default CAs00:34
jamielennoxbut if you install via pip as most people do you get nothing00:34
jamielennoxso for example neutron i think goes and tries to see if it can load system CAs in the client code00:34
hrybackiWhat made you describe one of the components as rubbish?00:37
jamielennoxheh, um they have been doing some interesting things to integrate the session object00:38
jamielennoxfor neutron and cinder i've just said that the old code can still exist and that if you pass a session then you get the new functionality00:38
*** morganfainberg_L has quit IRC00:39
jamielennoxlet me see if i can find it00:39
hrybackiintegration with glance will be a bit more complex?00:39
jamielennoxso the python original way to do http is with httplib00:40
jamielennoxthere are a whole lot of problems with httplib, chief amongst them for us is that they don't handle SSL certs correctly00:41
jamielennoxwe (and most of the python community) has moved to using a library called requests00:41
* hrybacki nods00:41
jamielennox(which is just a wrapper around httplib, but handling a lot of common cases for us correctly)00:41
hrybackiwhen did keystone/client convert?00:42
jamielennoxthere was a push a while ago to move all the clients to requests, glance seems to have ignored that and instead done there own SSL validation00:42
hrybackiand have all of the other components made the switch?00:42
hrybackithat seems odd00:42
jamielennoxthis was the tracker: https://bugs.launchpad.net/bugs/118818900:43
uvirtbotLaunchpad bug 1188189 in cinder "Some server-side 'SSL' communication fails to check certificates (use of HTTPSConnection)" [High,In progress]00:43
jamielennoxthey had a reason00:43
jamielennoxah, no that's the server side00:43
jamielennoxno - that's right, from memory they had to remove projects from it because launchpad didn't support a bug across that many projects00:44
hrybackihah00:44
jamielennox2013-09-13: Fix merged to python-keystoneclient (master)00:45
jamielennoxafaik glance is the only one that didn't00:45
jamielennoxthe reason i think was to do with not being able to control SSL compression from requests - however swift had that and they've since switched00:46
hrybackisomeone extended the requests library or they found another workaround?00:47
jamielennoxi think they decided that it shouldn't be up to the client to dictate that00:47
jamielennoxSSL compression can be subject to the BEAST attack, during SSL handshake both client and server should say whether they support compression or not00:48
jamielennoxessentially they were trying to make the client say no we don't support compression - and the solution should be to disable it on your servers00:48
hrybackiokay00:49
hrybackiis there any good documentation on how each of the clients/servers interact?00:50
jamielennoxnow that i look they've cleaned up the neturon client review a lo t00:50
jamielennoxnot really00:50
jamielennoxwell - depends what you want00:50
jamielennoxif you want to know the API then sure there is great docs00:50
hrybackiwell, I feel like I'm missing the bigger picture of how all of these things interact -- and the docs never seem to help much00:51
jamielennoxregarding how the clients work they have all grown somewhat organicly00:51
jamielennoxok00:51
jamielennoxheh, where's that pic that everyone likes to use in slides00:51
hrybackiI think I know what you're talking about00:51
hrybackihttps://securityblog.redhat.com/wp-content/uploads/2014/04/openstack-arch-havana-logical-v1.jpg00:51
jamielennoxhttp://docs.openstack.org/training-guides/content/module001-ch004-openstack-architecture.html00:52
jamielennoxyea, that one00:52
jamielennoxessentially what it means is that every service in openstack is responsible for a relatively small component of the overall cloud00:53
* hrybacki nods00:53
jamielennoxand that there is a whole lot of communication between them to offload what they shouldn't be doing00:53
jamielennoxso when managing volumes (disks) you talk to cinder, you do that with the cinder cmdline app which is part of cinderclient00:53
jamielennoxnova when it wants to attach a volume to a VM also has to talk to cinder to find the information of what to offer and attach00:54
jamielennoxso it uses the library part of cinderclient, and unfortunately the library and the CLI components are more tightly interwoven than would be liked00:55
jamielennoxand both of those things talk to keystone to make sure that the user and service wanting to do these things is allowed to00:55
jamielennoxand they should be doing that with keystoneclient00:55
hrybackido all of the components have a server and a client?00:56
jamielennoxyes00:56
jamielennoxthe client side receives a lot less love because it's generally a lot less interesting00:57
jamielennoxand also the client should really just be a reference implementation of something that you could always do yourself because the APIs are well documented00:57
hrybackihuh00:58
hrybackiso, if you were me, which of the components would you start session integration with?00:59
jamielennoxso the more i look the more clients are starting to do it themselves00:59
hrybackiayoung and morazi have talked about glance, neutron, and cinder -- ayoung is working with horizon righ tnow00:59
jamielennoxi just saw a review for ceilometer01:00
hrybackilink?01:00
jamielennoxhorizon is a bit of a difficult one because it tries to cache and reuse connections01:00
hrybackinods -- ayoung said it would be a complicated one01:00
jamielennoxhttps://review.openstack.org/#/c/96323/01:00
hrybackithank you01:01
jamielennoxthat one is somewhat confusing - it looks like he copied neutron before he cleaned it up01:01
jamielennoxso IMO glance is going to be the difficult one, whether that relates to most interesting is up to you01:01
jamielennoxdifferent difficult to horizon, there's no juggling connections or anything it's just that there is a lot of existing code to rip out01:02
*** xianghui has joined #openstack-keystone01:02
jamielennoxand clients are generally concerned with backwards compatability01:02
jamielennoxhowever i think i would just do it the same way that i did nova and cinder, leave the old stuff there and if they pass a session then we use new behaviour01:02
jamielennoxthen it's a matter of converting all the test cases over so that they test the session code - which takes ages :)01:03
hrybackinods01:03
hrybackiI've got 6 weeks, but I'm new, and I wanna have something concrete to show by the end.01:04
jamielennoxso you'll need to pester the glance guys to get it done, but i now that the PTL is keen to get rid of all that stuff01:05
hrybackiokay, I'll start by playing with Glance a bit to get familiar with the API01:08
jamielennoxcool - but honestly you probably don't need to know the API that much01:08
hrybackiHow would you recommend I start?01:08
jamielennoxthe data that is sent wont change it's just how it is sent01:08
jamielennoxhave a look at the requests library01:08
jamielennoxsee how that works01:08
hrybackiokay01:08
jamielennoxhave a look at the httpclient part of the current glance and figure out how it's sending and receiving http01:09
jamielennoxthe session is just some helpers around the requests library so it's mostly a matter of figuring out how the Managers (the part of the library responseible for a resource) send commands and how to support that with requests01:10
* hrybacki nods01:10
*** mitz has quit IRC01:11
hrybackithanks for taking some time to walk me through this stuff and give me something to get started btw01:13
*** diegows has quit IRC01:13
*** morganfainberg_L has joined #openstack-keystone01:14
jamielennoxno worries, let me know what else you need01:14
jamielennoxi'm sure once you wrap your head around some of the http stuff there will be more questions01:14
hrybackinods, mind if I shoot you emails with questions if you're offline?01:15
jamielennoxyea, that's fine01:21
hrybackijamielennox++ thanks again -- off for the night01:22
jamielennoxnight, and no problem01:22
hrybackio/01:22
*** mitz has joined #openstack-keystone01:25
*** mitz has quit IRC01:28
*** mitz has joined #openstack-keystone01:28
*** ncoghlan has joined #openstack-keystone01:30
*** mberlin has joined #openstack-keystone01:43
*** mberlin1 has quit IRC01:44
*** mitz has quit IRC01:57
*** ncoghlan is now known as ncoghlan_afk01:59
*** topol_ has joined #openstack-keystone01:59
*** topol has quit IRC02:00
*** topol_ is now known as topol02:00
*** mitz has joined #openstack-keystone02:01
*** hrybacki has quit IRC02:03
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Propose Specification for non-persistent-tokens  https://review.openstack.org/9597602:05
morganfainberg_Lawww crap.02:07
morganfainberg_Li lost my gpg key :(02:07
jamielennoxmorganfainberg_L: :(02:13
jamielennoxi know i should get one and make use of it, but i need one on such a rare occasion i'm sure i'll lose it02:14
*** topol has quit IRC02:18
*** bvandenh has quit IRC02:18
*** topol has joined #openstack-keystone02:18
morganfainberg_Ljamielennox: i had to take my primary laptop (personal) into get repaired02:25
morganfainberg_Lended up wiping the HDD in the process (have a backup but think some files are missing)02:25
morganfainberg_Lthis is the first time i've used a linux desktop for more than the odd task in years. it's... passible02:26
morganfainberg_Lbut on the plus side, i have this ubuntu laptop all setup now and csan do dev work on it.02:26
* morganfainberg_L almost bought a macbook air while the mbpr was being fixed.02:27
jamielennoxmorganfainberg_L: i haven't done any dev on OSX02:27
jamielennoxso i'm pretty used to the desktop i guess02:27
jamielennoxcan't use windows at all any more02:27
jamielennoxi sat down at a win8 machine the other day - had no idea where anything was02:28
morganfainberg_Llinux desktop still feels so rough compared to osx. a lot of "oh i need to go compile that" or "wow, this is missing x y and z"02:28
morganfainberg_Lwin8 is terribad02:28
morganfainberg_Limo02:28
jamielennoxwhat are you compiling yourself - that's pretty rare for me these days02:29
morganfainberg_Lmostly it is for features on something i need, e.g. pigin plugin was missing something.02:29
* morganfainberg_L doesn't remember what.02:29
morganfainberg_Lbut i had to recompile it.02:29
morganfainberg_Lchromium i think as well for some reason02:30
jamielennoxok,02:31
*** ncoghlan_afk is now known as ncoghlan02:39
*** mitz has quit IRC02:48
*** mitz has joined #openstack-keystone02:50
*** mitz has quit IRC02:52
*** lbragstad has quit IRC02:54
*** mitz has joined #openstack-keystone02:54
*** lbragstad has joined #openstack-keystone02:55
*** zhiyan_ is now known as zhiyan03:04
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Don't log sensitive auth data  https://review.openstack.org/10179203:14
jamielennoxmorganfainberg_L: it's not tested yet but does ^ seem reasonable?03:15
*** Camisa has joined #openstack-keystone03:28
*** Camisa has joined #openstack-keystone03:28
*** bobt has quit IRC03:30
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Don't log sensitive auth data  https://review.openstack.org/10179204:10
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Don't log sensitive auth data  https://review.openstack.org/10179204:18
*** praneshp_ has joined #openstack-keystone04:23
*** praneshp has quit IRC04:24
*** praneshp_ is now known as praneshp04:24
*** daneyon has joined #openstack-keystone04:34
*** gokrokve has joined #openstack-keystone04:50
*** jamielen1ox has joined #openstack-keystone04:52
*** daneyon_ has joined #openstack-keystone05:01
*** daneyon has quit IRC05:04
*** chandan_kumar_ has joined #openstack-keystone05:13
*** fifieldt has joined #openstack-keystone05:14
*** chandan_kumar has quit IRC05:16
*** chandan_kumar_ is now known as chandan_kumar05:17
*** jamielen1ox has quit IRC05:19
*** morganfainberg_L has quit IRC05:24
*** topol has quit IRC05:26
*** ajc_ has joined #openstack-keystone05:29
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/10180005:30
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/10140405:34
*** gokrokve has quit IRC05:39
*** gokrokve has joined #openstack-keystone05:39
*** gokrokve_ has joined #openstack-keystone05:40
*** gokrokve has quit IRC05:44
*** gokrokve_ has quit IRC05:45
*** ncoghlan is now known as ncoghlan_afk05:54
*** marekd|weekend is now known as marekd05:55
*** ajayaa has joined #openstack-keystone05:57
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/9700506:00
*** ajayaa has quit IRC06:06
*** gokrokve has joined #openstack-keystone06:10
*** gokrokve has quit IRC06:16
*** ncoghlan_afk is now known as ncoghlan06:18
*** afazekas_ has joined #openstack-keystone06:20
*** afazekas has quit IRC06:20
*** ayoung has joined #openstack-keystone06:20
*** ajayaa has joined #openstack-keystone06:23
*** ayoung has quit IRC06:23
*** openstackstatus has quit IRC06:27
*** henrynash has joined #openstack-keystone06:38
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication  https://review.openstack.org/9216606:42
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Scope unscoped saml2 tokens.  https://review.openstack.org/9970406:47
*** BAKfr has joined #openstack-keystone07:06
*** praneshp has quit IRC07:08
*** praneshp has joined #openstack-keystone07:09
*** gokrokve has joined #openstack-keystone07:13
*** afazekas_ is now known as afazekas07:14
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Federated Protocols.  https://review.openstack.org/8382907:15
*** gokrokve has quit IRC07:18
*** praneshp has quit IRC07:21
*** andreaf has joined #openstack-keystone07:44
*** i159 has joined #openstack-keystone08:01
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Comparision of database models and migrations.  https://review.openstack.org/8063008:02
*** ajayaa has quit IRC08:03
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Use metadata.create_all() to fill a test database  https://review.openstack.org/9355808:03
*** gokrokve has joined #openstack-keystone08:15
*** ajayaa has joined #openstack-keystone08:15
*** oomichi has quit IRC08:19
*** gokrokve has quit IRC08:20
*** ajayaa has quit IRC08:36
openstackgerritwanghong proposed a change to openstack/keystone: trustor_user_id not available in v2 trust token  https://review.openstack.org/10182908:47
*** ncoghlan has quit IRC08:49
*** ajayaa has joined #openstack-keystone08:54
*** gokrokve has joined #openstack-keystone09:16
*** gokrokve has quit IRC09:21
*** henrynash has quit IRC09:27
*** jaosorior has joined #openstack-keystone09:31
*** RockKuo_Office has joined #openstack-keystone09:37
*** RockKuo_Office has quit IRC09:37
*** RockKuo_Office has joined #openstack-keystone09:37
*** RockKuo_ has joined #openstack-keystone09:37
*** RockKuo_Office has quit IRC09:37
*** RockKuo_ has quit IRC09:37
*** RockKuo_Office has joined #openstack-keystone09:38
*** nsquare has quit IRC10:07
*** nsquare has joined #openstack-keystone10:09
*** nsquare has quit IRC10:09
*** gokrokve has joined #openstack-keystone10:16
*** gokrokve has quit IRC10:21
*** zhiyan is now known as zhiyan_10:32
*** topol has joined #openstack-keystone10:33
*** lalves has joined #openstack-keystone10:35
lalveshi, quick question from an OS/python noobie:10:38
lalvesgetting this error when testing my keystone instance10:39
lalvesmod_wsgi (pid=3000): Exception occurred processing WSGI script '/usr/lib/cgi-bin/keystone/main'.  Traceback (most recent call last):    File "/usr/lib/cgi-bin/keystone/main", line 25, in <module>      gettextutils.enable_lazy()  AttributeError: 'module' object has no attribute 'enable_lazy'10:39
openstackgerritAjaya Agrawal proposed a change to openstack/keystone: TestAuthInfo class in test_v3_auth made more efficient.  https://review.openstack.org/9807210:39
lalvesusing Grizzly10:39
lalvesopenstack-nova-common-2013.1.4-7.el6.noarch openstack-nova-api-2013.1.4-7.el6.noarch openstack-keystone-2013.1.4-2.el6.noarch10:40
lalveson centOS 6.510:40
lalvescould that be due to a wrong keystone/openstack/common/gettextutils.pyc version?10:43
lalvesI'm using this https://github.com/openstack/keystone/blob/master/httpd/keystone.py as /usr/lib/cgi-bin/keystone/main10:44
lalvesTIA10:44
*** mberlin has quit IRC10:59
*** mberlin has joined #openstack-keystone11:11
*** gokrokve has joined #openstack-keystone11:17
*** gokrokve has quit IRC11:22
openstackgerritwanghong proposed a change to openstack/keystone: auth tests should not require admin token  https://review.openstack.org/10186111:28
*** ajayaa has quit IRC11:31
*** chandan_kumar is now known as chkumar24611:35
*** RockKuo_Office has quit IRC11:38
*** diegows has joined #openstack-keystone11:39
*** lbragstad has quit IRC11:40
*** ajayaa has joined #openstack-keystone11:43
*** chkumar246 has quit IRC11:45
*** chandan_kumar has joined #openstack-keystone11:46
*** Ju_ has joined #openstack-keystone11:55
*** xianghui has quit IRC12:14
*** gokrokve has joined #openstack-keystone12:19
*** gokrokve has quit IRC12:24
*** erecio has joined #openstack-keystone12:24
*** gordc has joined #openstack-keystone12:26
*** xianghui has joined #openstack-keystone12:28
*** ajc_ has quit IRC12:40
*** bknudson has joined #openstack-keystone13:02
*** nkinder_ has quit IRC13:13
*** xianghui has quit IRC13:13
*** radez_g0n3 is now known as radez13:13
*** lbragstad has joined #openstack-keystone13:18
*** gokrokve has joined #openstack-keystone13:20
*** richm has joined #openstack-keystone13:26
*** gokrokve has quit IRC13:26
*** dims has joined #openstack-keystone13:31
*** joesavak has joined #openstack-keystone13:32
*** hrybacki has joined #openstack-keystone13:37
*** Dafna has joined #openstack-keystone13:45
*** gordc has quit IRC13:50
*** daneyon_ has quit IRC13:52
*** ajayaa has quit IRC13:57
*** gordc has joined #openstack-keystone13:59
*** stevemar has joined #openstack-keystone14:04
*** nkinder_ has joined #openstack-keystone14:08
*** morganfainberg_L has joined #openstack-keystone14:18
*** gordc has quit IRC14:19
morganfainberg_Lmornin14:19
*** jsavak has joined #openstack-keystone14:20
morganfainberg_Lbknudson: ping, re: 409 errors fi14:21
morganfainberg_Lx14:21
bknudsonmorganfainberg_L: is this the real morganfainberg?14:21
morganfainberg_Lbknudson: yeah14:21
jsavakauthenticated!14:21
morganfainberg_Lbknudson: other laptop is broken, and don't have access to my personal VPN for my ZNC14:22
bknudsonmorganfainberg_L: ok, only the real morganfainberg would know to answer with "yeah"14:22
morganfainberg_Llol14:22
bknudsonmorganfainberg_L: right, so not surprisingly we're sloppy in our exceptions14:22
*** morganfainberg_L is now known as mdrnstm14:23
*** mdrnstm has quit IRC14:23
*** mdrnstm has joined #openstack-keystone14:23
bknudsonmdrnstm: : and since we're sloppy and I don't think we'll be un-sloppy any time soon, and there's security implications ....14:23
*** gokrokve has joined #openstack-keystone14:23
bknudsonhow about we default to "secure" exceptions14:23
*** ChanServ sets mode: +o mdrnstm14:23
mdrnstmbknudson: there? proof enough it's me :P14:24
bknudsonand then pick some that we know are safe non-secure14:24
mdrnstmbknudson: that was what i wanted to check with you on before changing the code14:24
mdrnstmbknudson: i think the suggestion to make the base exception the 'securityexception' was good14:24
mdrnstmand then we can relax the data sent out as needed instead of trying to secure the data as we find holes14:25
bknudsonmdrnstm: seems like the only safe way to do it14:26
mdrnstmbknudson: ++ cool.14:26
bknudsonmdrnstm: I don't know what we can mark as safe -- maybe NotFound?14:26
mdrnstmLOL14:26
mdrnstmnotfound should be relatively safe14:27
*** gordc has joined #openstack-keystone14:27
*** gokrokve has quit IRC14:28
bknudsonmdrnstm: should we have a class for safe exceptions or should it be a flag for each instance?14:29
bknudsonif it's a flag then we'd have to be explicit and wouldn't be making any safe by accident14:30
bknudsonmaybe docstring for the exception would help14:30
mdrnstmprobably.14:31
mdrnstmi'll figure it out14:31
*** ayoung has joined #openstack-keystone14:32
marekdstevemar: hi.14:35
marekdstevemar: appreciate your eyes on https://review.openstack.org/#/c/83829/14:36
stevemarmarekd, ahhhh, yes!14:37
marekdstevemar: don't worry.14:37
*** lalves has quit IRC14:38
*** morganfainberg has quit IRC14:45
*** morganfainberg_Z has joined #openstack-keystone14:45
*** mdrnstm is now known as morganfainberg14:45
*** diegows has quit IRC14:51
*** gokrokve has joined #openstack-keystone14:52
*** gokrokve has quit IRC14:53
*** gokrokve has joined #openstack-keystone14:53
*** radez is now known as radez_g0n314:53
*** rwsu has joined #openstack-keystone14:55
morganfainbergbknudson, jamielennox, ayoung, working with infra to get middleware repo created asap14:55
ayoungmorganfainberg, sounds good14:56
morganfainbergjust got the first +2 on it14:56
ayoungmorganfainberg, I still think we want to have a strategy to deduplicate the code between the two repos.  I realize there is a cricular, but there has to be some solution14:56
bknudsonmorganfainberg: they're going to do it today rather than wait until fri?14:57
*** gokrokve has quit IRC14:57
ayoungbknudson, why wait14:57
morganfainbergbknudson: i dunno, they didn't get it done last friday because trying to get gate using 14.0414:58
morganfainbergbknudson: was told it really was just bugging the right people, might get it sooner14:58
bknudsonayoung: my understanding is that they queued repo changes to fridays.14:58
*** joesavak has quit IRC14:58
*** jsavak has quit IRC14:58
ayoungbknudson, cuz trhey like working over wekends?14:58
ayoungweekends14:58
bknudsonbecause there's some manual work that needs to be done14:58
morganfainbergayoung: i think "duplicating" code is bad. and circual deps are even worse.14:59
morganfainbergwe can just propose fixes to both places if you _really_ feel strongly about it, but that would require changing the spec.14:59
*** radez_g0n3 is now known as radez14:59
ayoungmorganfainberg, short of creating a separate repo for libkeystone, though, I can't see how to make it work, and I think that is too far15:00
ayoungOK,  here is what we need to do, I think15:00
morganfainbergayoung: yeah, i think the security maintenance of ksc middleware is a good option15:00
morganfainbergesp. if we are releasing middleware as 1.0.0 (stable)15:00
ayoungyeah15:01
*** joesavak has joined #openstack-keystone15:01
*** jsavak has joined #openstack-keystone15:01
*** xianghui has joined #openstack-keystone15:04
*** jareking has joined #openstack-keystone15:04
*** jareking has quit IRC15:06
*** jsavak has quit IRC15:07
*** david-lyle has joined #openstack-keystone15:16
*** gordc has quit IRC15:20
*** gokrokve has joined #openstack-keystone15:23
stevemaranyone seeing a "worlddump.py: error:" in devstack recently?15:23
*** gokrokve_ has joined #openstack-keystone15:23
*** gokrokve has quit IRC15:27
*** afazekas has quit IRC15:28
morganfainbergstevemar: "worlddump" thats new...15:29
stevemarmorganfainberg, apparently so, within the last 24 hrs15:29
stevemarapparently for dumping process info15:29
stevemari think it depends on a specific log directory being setup, but if devstack craps out earlier, then the directory is never setup15:30
*** daneyon has joined #openstack-keystone15:30
morganfainberglooks like dpkg related15:30
morganfainbergdoing this on ubuntu i am guessing?15:30
*** gordc has joined #openstack-keystone15:31
morganfainbergstevemar: https://github.com/openstack-dev/devstack/commit/4adc16f7e453de014abc97ac254c105ab120caae might be the guilty commit15:32
stevemarmorganfainberg, yep, and I opened, https://bugs.launchpad.net/devstack/+bug/133332115:33
uvirtbotLaunchpad bug 1333321 in devstack "worlddump shouldn't depend on LOGDIR" [Undecided,New]15:33
stevemarit's probably a mistake in my setup, but it should give a better error message :)15:34
morganfainbergstevemar: ++15:34
ayoungany one feel like we spend so much time on process now that we are not really making any forward process, or such minimal forward progress as to be irrelevant?15:36
openstackgerritLance Bragstad proposed a change to openstack/keystone: Make gen_pki.sh bash8 compliant  https://review.openstack.org/9343815:40
topolayoung I agree the process is too slow now. blueprints are much better but price is too high. wish there was a compromise. dont want to go back to 3 line bluepritnts15:41
morganfainberglbragstad: mind updating the commit on that ^ to reflect it also affected debug_helper.sh ?15:41
morganfainberglbragstad: otherwise lgtm15:41
morganfainbergtopol: ++15:41
lbragstadmorganfainberg will do, thanks!15:41
ayoungtopol, its more than that.  With Keystone, we should be far more stand alone, but instead we are dependant on changes to every last *aaS  that gets added.15:41
ayoungSpecs for BPs are actaully fine15:42
morganfainbergayoung: we might be able to petition TC to allow us to release more like swift... but i think we have some serious cleanup to do before then15:42
*** gyee has joined #openstack-keystone15:42
topolayoung, please give an example15:42
openstackgerritLance Bragstad proposed a change to openstack/keystone: Make gen_pki.sh & debug_helper.sh bash8 compliant  https://review.openstack.org/9343815:42
ayoungtopol, every time we can't get code merged because of Grenade15:43
morganfainbergayoung: but i don't see what we're blocking on tbh with other *aaS15:43
ayoungor some other test like that which has nothing to do with Keystone15:43
*** BAKfr has quit IRC15:43
morganfainbergayoung: except we do want to make sure we don't break people in upgrades, even if we released independent of named releases15:44
ayoungtopol, or other tempest cinder type issues15:44
ayoungmorganfainberg, ther is a lot of automation for testing, but I don't think Keystone has theright set of it.  Maybe that is on us.15:44
morganfainbergsure, but the inverse is true, if we screw up something the gate helps protect everyone who depends on us15:45
hrybackiayoung: do your session integration work with Horizon up anywhere?15:45
morganfainbergit's not foolproof, but it's really one of the best CI systems i've seen15:45
ayoungBut  we also are pretty restrictive . I think the "no API changes" after Milestone 2  is a pretty draconioan restriction15:46
ayounghrybacki, not yet...still hacking on it local15:46
hrybackiayoung: nods15:46
morganfainbergif we released separate from named releases, that would be a different bet.15:46
ayoungmorganfainberg, its no one thing, its the sum total of everything we have in place.  I'll admit Termie rewriting everything in a vacuum was too much one way, but were starting to slip too far the other15:46
morganfainbergbut as long as we're within the named release cycle we need to draw lines somewhere.15:46
marekdmorganfainberg: Hey. Do you mind  taking a look at https://review.openstack.org/96867  esp the workflow description starting at line 116) . I am asking especially you cause you are working on non persistent tokens and it looks like he might need to *somehow* store tokens in the backend or cache.15:47
ayoungmorganfainberg, well, porobably the mistake was writing Keytonein the first place15:47
ayounginstead of using SAML15:47
ayoungor some other mechanism that already existed15:47
stevemarit seems devstack is breaking my pip install :\15:47
morganfainbergmarekd: sure. that would be icky to need to store tokens15:47
marekdmorganfainberg: i know ;/15:48
marekdmorganfainberg: i would like to push this bp somehow....15:48
morganfainbergayoung: we are making strides towards correcting some of the issues, but some stuff is in the past15:48
morganfainbergmarekd: i might need coffee for this.15:50
morganfainbergmarekd: but i'm looking15:50
marekdmorganfainberg: because it's that boring ? :P15:50
morganfainbergmarekd: no cause my brain doesn't work well when i haven't been caffeinated15:51
* morganfainberg hasn't had breakfast yet.15:51
* marekd already thinks about dinner :P15:51
ayounghrybacki, I started some more trello thoughts.  But I can't add to your board15:52
hrybackiayoung: 1 sec15:52
hrybackiayoung: you've got admin rights now15:53
ayounghrybacki, thanks...now I needto remember my passwrod.  I've been doing this all on my phone where it is cached...15:53
ayoungAh...15:54
ayoungOK, I'm in15:54
ayoungthere are strange things that happen in the land of web authentication15:54
ayoungsometimes I just shake my head and move on15:54
ayounghrybacki, OK, So I have another board...15:55
hrybackiHave you added me to it?15:55
ayoungdo you have a virtual organization set up for the Glance board?15:55
hrybackinope -- I could make one really quick though15:56
ayoungnot yet, I'd rather move the cards to the existing board15:56
ayoungwhich I just renamed15:56
hrybackinods15:56
morganfainbergmarekd: is this meant to be AuthN or AuthZ?15:57
marekdmorganfainberg: what?15:57
marekdmorganfainberg: mind i am not an author....15:58
morganfainbergmarekd: i'm seeing mixed information, where the client is redirected to the authorization server15:58
morganfainbergmarekd: sure, was asking to see if you knew ;)15:58
morganfainbergmarekd: i'm happy to comment, but making sure i'm not missing some subtlety15:58
marekdmorganfainberg: ah, so I think he meant both....15:58
morganfainbergah, so he's expecting the provider (SAML) to be both authn and authz?15:59
morganfainbergi think that is.. not gonna fly.15:59
marekdmorganfainberg: he wants to use saml like we do now...15:59
morganfainbergoh hm15:59
morganfainbergohh i see he just doesn't call out keystone as is15:59
morganfainberglike i said, no coffee yet15:59
marekdhe speaks about "login page in Keystone"15:59
marekdfirst of all: he wasnt to solve two problems with one bp.16:00
marekdwants*16:00
morganfainbergyeah and sometimes killing two birds with one stone is fine16:00
*** packet has joined #openstack-keystone16:00
marekdmorganfainberg: yeah.16:00
marekdmorganfainberg: let's say real example: A client (browser) goes to Horizon webpage, and automatically gets redirected directly to Keystone (https://keystone.com/login). Now, the client authn himself. In response he get's something what is called 'authorization code', which identifies an user.16:02
marekdKeystoe should very likely redirect the client to the Horizon again16:02
morganfainbergmarekd: sure16:02
marekdand horizon should use this code to retrieve token.16:02
nkinder_there's an interesting question about signing cert renewal on the user list16:03
morganfainbergnkinder_: i saw. have been mulling it over before responding.16:03
marekdnkinder_: you are talking about websso now?16:03
nkinder_if the signing cert is renewed, but you use the same keys, wouldn't the old tokens still be valid?16:04
marekdnkinder_: ah, sorry ;/16:04
nkinder_marekd: no, I changed topics...16:04
marekdnkinder_: yeah, sorry about that :(16:04
morganfainbergnkinder_: i.. don't know16:05
hrybackiayoung: -- revised the integration board, please review16:05
marekdmorganfainberg: speaking about websoo, as you may see my comments i am not really sure who are the actors in depicted workflow ;/16:05
morganfainbergmarekd: yeah seeing the comments as i go through16:06
morganfainbergtotally agree the diagram and workflow aren't as clear as they need to be16:06
morganfainbergi can make intelligent guesses, but i hate guessing when it comes to reviewing ;)16:06
marekdmorganfainberg: ++16:06
marekdi spend some time trying to figure out who is who, but i could see opposing pieces information16:07
marekdspent*16:07
morganfainbergnkinder_: so, when you sign something, you sign with the cert and the key.. right? not just the key?16:07
morganfainbergnkinder_: trying to think through token validity here (outloud)16:07
morganfainbergnkinder_: so if we're using the cert _and_ key, we can't validate with the new cert16:08
morganfainbergnkinder_:  since it's tied to the old cert.16:08
*** Dafna is now known as Dafna_away16:09
nkinder_morganfainberg: the CMS RFC shows that is has issuer and serial number16:10
ayounghrybacki, I'm going to make the Horizon board public.  If we talk about it in here, no reason other people shouldn't be able to see it16:10
nkinder_morganfainberg: this is really a case where we need the ability to have multiple certs used for validation16:11
marekddolphm: o/ How much reluctant would you be to  binding  some HTML or even JS directly with Keystone?  I am speaking about WebSSO.16:11
morganfainbergnkinder_: yeah. sounds like it16:11
nkinder_morganfainberg: it would allow renewal as well as using separate keys/certs for separate keystone instances in HA16:11
hrybackiayoung++16:11
morganfainbergnkinder_: though i'm (unfortunately) sadly out of date with my renewal of cert knowledge16:11
*** jaosorior has quit IRC16:12
morganfainbergnkinder_: maybe a legitimate cert "renewal" would still validate16:12
nkinder_morganfainberg: well, the serial number changes when you do a renewal16:12
morganfainbergnkinder_: true.16:13
nkinder_morganfainberg: but you can use the same keys16:13
*** bknudson has quit IRC16:14
*** praneshp has joined #openstack-keystone16:15
*** nsquare has joined #openstack-keystone16:17
morganfainbergnkinder_:  i think you're right, this is a case of needing multiple validation certs.16:17
morganfainbergrelated, we would need to allow keystone to provide OS-SIMPLE-CERT? multiple certificates then?16:18
morganfainbergbut more to the point http://www.ietf.org/rfc/rfc3850.txt effectively says we shouldn't rely on signingtime (if i am reading this correctly), if the cert is expired the tokens should also be invalid16:19
*** dstanek_zzz is now known as dstanek16:24
*** gokrokve_ has quit IRC16:24
*** browne has joined #openstack-keystone16:24
*** marcoemorais has joined #openstack-keystone16:26
dstanekmorganfainberg: gertty is a great idea, but it's hard for me to actually use it16:27
morganfainbergdstanek: it takes time to get use to it16:27
morganfainbergdstanek: it may also not be a good option for you :) to each their own, right?16:27
morganfainbergmarekd: , i don't see a need to cache the token anywhere in here16:28
marekdtopol: I responded to your question in websso bp (https://review.openstack.org/#/c/96867/)16:28
morganfainbergmarekd:  thankfully16:28
dstanekmorganfainberg: i think there are some UI change i can make to get it to work better for me - i really want to do offline reviews16:28
topolmarekd, OK cool. I will look later today16:28
marekdmorganfainberg: how do we map authorization code with token?16:28
marekdtopol: ++16:28
morganfainbergmarekd: for what revocations? you would need to include the auth code in the token16:29
morganfainbergmarekd: once the keystone token is issued, we don't really care (Except for audit and revocation) what the auth code is16:29
morganfainbergthe rest of the info would already be in the token.16:29
marekdmorganfainberg: so, so after authN Keystone would need to return whole token.16:29
morganfainbergthat is how the saml stuff works today, no? you auth, get the assertion and the assertion is used to issue a token (drastic simplification)16:30
marekdmorganfainberg: yes it does, but according to the author's idea only auth code is returned.16:30
marekdand he later reuses this auth code to get a token.16:31
morganfainbergwell this author is also thinking that keystone would broker the username/password16:31
morganfainbergwhich would be wrong and insecure16:31
morganfainberghand my AD credentials to keystone, and keystone asks for the assertion?16:31
marekdmorganfainberg: if you look at line ~20716:31
marekdi think he assumes that having this authorization code will be enough to get a token.16:32
*** gordc has quit IRC16:32
morganfainbergmarekd: ah hadn't gotten that far in yet16:32
ayoungnkinder_, so, on the OS-SIMPLE-CERT  question, I was wondering if we could, as a first approximation, just send all of the certs that Keystone knows about everyt time it is called16:32
marekdmorganfainberg: ah, ok.16:32
morganfainbergmarekd: i also think this needs to be split up16:33
ayoungmorganfainberg, the SIMPLE_CERT API is already written to send more than one cert,16:33
morganfainbergayoung: ++16:33
marekdmorganfainberg: split into federated/non-federated usecase?16:33
ayoungmorganfainberg, but that might now work in practice16:33
morganfainbergmarekd:  yeah16:33
morganfainbergmarekd: they may be closely related, and the federated case may expand on the non-federated case (do a redirect instead of consuming/brokering username/password)16:33
ayoungmorganfainberg, for example, if you wereto use CURL to hit simple-cert, I don't know if there is any clean way to say "save them each in their own file"  but maybe for PEM files and openssl, it doesn't matter16:33
ayoungI thin that the verify can work against a set of certs in the same file16:34
marekdmorganfainberg: maybe.16:34
marekdmorganfainberg: whatever we do we might need some hacks on top of that...;/16:34
morganfainbergayoung: or we could make it multiple certs return a 30..what was multiple options? 305? and then you get a list you can download, downlaod them all in sequence16:34
morganfainbergmarekd: yeah. :(16:35
ayoungfrom the openssl cms  man page:  cert.pem...         one or more certificates of message recipients: used when           encrypting a message.16:35
marekdmorganfainberg: that's why I am starting to have some crazy ideas about handling the login in JS.16:35
marekdlogic*16:35
marekdsorry16:35
morganfainbergayoung: that is the sign/encrypt part, what about the verify part16:35
morganfainbergayoung:  i have no doubt sign/encrypt can target multiple recipients (though the token would baloon in size)16:36
ayoungmorganfainberg, 300 multiple choices  does not mean that, I think16:36
ayoungmorganfainberg, no this is the verify part16:36
ayoung sign encrypt would be with a singe cert16:36
ayoungsingle16:36
ayoungOS-SIMPLE_CERT if for distributing the server for verification16:37
morganfainbergwhat you quoted was 'used when encrypting' ^^ look up :P16:37
marekdmorganfainberg: anyways, i once had suggested that maybe a full token, instead of authorization code, should be returned, but author didn't like that idea. Leave your comments if possible, as you will have probably much bigger impact on all that.16:37
ayoungmorganfainberg, yes, cuz they all share the same common options:  cms verify, encrypt etc16:37
morganfainbergayoung: i admit i am unfamiliar with a chunk of this16:38
ayoungmorganfainberg, man cms16:38
morganfainbergayoung: i've been reading that :P16:38
ayoungopenssl is a little greedy when it comes to man page namespacing16:38
morganfainbergayoung: it still makes my brain hurt! ;)16:38
*** gordc has joined #openstack-keystone16:38
morganfainbergayoung: we also have an issue with middleware leaking tmpdirs16:39
morganfainbergayoung: mildly related16:39
morganfainbergrestart a service enough, middleware will consume /tmp with tmpdirs if you don't specify a signing dir16:39
ayoungmorganfainberg, remember ,most of the verify exampls they show assumes that the certs are embedded in the message16:39
morganfainbergayoung: ah right. and we're not embeding them16:39
ayoungmorganfainberg, I thought we specified the "autocleanup" option when creating tmpdir16:40
ayoungif not, we should16:40
morganfainbergayoung: mkdtemp has not autocleanup16:40
morganfainbergno*16:40
morganfainbergit is explicitly the job of the invoker to cleanup afterwards16:40
morganfainbergthe tmpfile creation would have autocleanup16:40
ayoungis that the python call?16:41
morganfainbergyeah we use tempfile.mkdtemp16:41
morganfainbergor similar16:41
ayoungand that should call the underlying klib...looking16:41
*** marekd is now known as marekd|away16:41
morganfainbergayoung: https://docs.python.org/2/library/tempfile.html#tempfile.mkdtemp16:42
morganfainbergayoung: The user of mkdtemp() is responsible for deleting the temporary directory and its contents when done with it.16:42
ayoungmorganfainberg, there are other variations, though16:42
ayoungat least in the native lib16:43
morganfainbergayoung: not for directories, for files (python not sure about native lib)16:43
ayoungmorganfainberg, if we don't get autocleanup, we have to trap and cleanup on exit16:44
morganfainbergor we could instead use multiple tempfiles that do autocleanup16:44
*** amcrn has joined #openstack-keystone16:44
morganfainbergno reason we _have_ to use a tmpdir16:44
ayoungah, but we can't unlink....16:44
morganfainbergmkstmp automatically handles that when the FD is closed16:45
morganfainbergor uh tempfile?16:45
ayoungmorganfainberg, except that we don't know the  name of the file a-priori, and remember this needs to work from Apache HTTPD16:45
morganfainberghttps://docs.python.org/2/library/tempfile.html#tempfile.NamedTemporaryFile16:45
morganfainbergayoung: this is middleware, not keystone16:46
ayoungmorganfainberg, and we need the other services to be capable of running in HTTPD16:46
morganfainbergwe create a tmpdir per thread as is16:46
morganfainbergthis is all irrelevant if a shared signing dir is specified16:47
morganfainbergthis is just if middleware does all the management, which case separate tempfiles isn't different from what we do now, just would autocleanup16:47
morganfainberganyway16:48
*** dstanek is now known as dstanek_zzz16:48
*** diegows has joined #openstack-keystone16:52
*** dstanek_zzz is now known as dstanek16:52
*** gordc has quit IRC17:00
*** nsquare has quit IRC17:01
*** bobt has joined #openstack-keystone17:07
*** i159 has quit IRC17:08
*** harlowja_away is now known as harlowja17:08
morganfainbergmarekd|away: commented on the SSO review17:13
*** vhoward has left #openstack-keystone17:20
*** nsquare has joined #openstack-keystone17:33
*** richm has quit IRC17:34
*** gordc has joined #openstack-keystone17:34
*** gordc has quit IRC17:40
*** gokrokve has joined #openstack-keystone17:44
*** andreaf has quit IRC17:46
*** ayoung has quit IRC17:47
morganfainberggyee: i updated henry-nash's spec update to correct17:48
morganfainberg'encryption' to 'hashing'17:48
*** richm has joined #openstack-keystone17:48
*** amerine has joined #openstack-keystone17:50
*** hrybacki_ has joined #openstack-keystone17:51
gyeemorganfainberg, looks good!17:52
*** hrybacki has quit IRC17:54
*** ayoung has joined #openstack-keystone17:55
*** hrybacki_ has quit IRC17:56
*** harlowja has quit IRC18:00
*** marcoemorais has quit IRC18:02
*** marcoemorais has joined #openstack-keystone18:03
*** marcoemorais has quit IRC18:04
*** marcoemorais has joined #openstack-keystone18:04
*** marcoemorais has quit IRC18:04
*** marcoemorais has joined #openstack-keystone18:04
*** marcoemorais has quit IRC18:05
*** marcoemorais has joined #openstack-keystone18:06
*** marcoemorais has quit IRC18:06
*** marcoemorais has joined #openstack-keystone18:06
*** bknudson has joined #openstack-keystone18:06
stevemarjoesavak, ping18:08
*** hrybacki has joined #openstack-keystone18:08
*** hrybacki has quit IRC18:12
*** hrybacki has joined #openstack-keystone18:12
hrybackiayoung: should we make the other board public as well?18:15
ayounghrybacki, yeah, if we are going to keep it just with the upstream tasks18:15
hrybackiI don't foresee any reason why that wouldn't be the case, do you?18:16
hrybackiayoung: how are you testing horizon to see where you need to make patches?18:28
ayounghrybacki, heh, right now I am battling a devstack setup18:29
ayoungI had one working, but it was for all of the kerberos work18:29
hrybackiayoung: hehe18:29
ayoungwhat i am trying to do is run a vm18:29
ayoungand mount the devstack dir via nfs18:29
ayoungand I had it working, but I started with a cloud image, and it only has 2 GB of storag.18:29
ayoungso I'm resizing it, and it is a pain18:30
hrybackithat sounds complicated -- why not just set up your vm with virt-whatever, install devstack, and roll?18:30
dstanekbknudson: what (if anything) actually uses sqlite_db? i didn't see oslo.db using it either. re: https://review.openstack.org/#/c/10163518:33
bknudsondstanek: nova tests18:33
bknudsonand some other projects use it, don't remember which18:34
amerineayoung: Is it cool if I PM you real quick?18:34
ayoungHAHAH18:34
ayoungamerine, sure18:34
*** ajayaa has joined #openstack-keystone18:36
bknudsondstanek: looks like nova could stop using it by parsing sqlite_connection18:36
bknudsonoops, sql_connection18:36
dstanekbknudson: odd, i wonder why oslo.db defines it as an option if it's not used by them18:38
*** harlowja has joined #openstack-keystone18:38
*** harlowja has quit IRC18:38
*** harlowja has joined #openstack-keystone18:39
*** harlowja has quit IRC18:39
bknudsondstanek: I filed a bug and tried to get rid of it but they wanted nova, etc, changed first18:39
openstackgerritA change was merged to openstack/keystone: Make gen_pki.sh & debug_helper.sh bash8 compliant  https://review.openstack.org/9343818:39
dstanekbknudson: odd, i wonder why oslo.db defines it as an option if it's not used by them18:42
bknudsondstanek: I filed a bug and tried to get rid of it but they wanted nova, etc, changed first (same response as last time)18:46
*** ayoung has quit IRC18:48
openstackgerritLance Bragstad proposed a change to openstack/keystone: Initial implementation of validator  https://review.openstack.org/8648318:48
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on Catalog V3 resources  https://review.openstack.org/9626618:48
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on Assignment V3 resources  https://review.openstack.org/8648418:48
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on Credential V3  https://review.openstack.org/9852218:48
stevemarthis change has made my keystone unhappy https://github.com/openstack/keystone/commit/8db9ba790696c5572a8fce3be913f05fa391c49118:48
stevemardstanek did you also have the same issue?18:49
dstanekstevemar: not that i know of...is that broken for you?18:50
stevemarwell I don't have it cloned or anything, but i pulled in latest changes for keystone, and i couldnt do operations18:51
*** harlowja has joined #openstack-keystone18:51
*** harlowja has quit IRC18:51
*** david-lyle has quit IRC18:51
*** david-lyle has joined #openstack-keystone18:52
stevemardstanek, just cloned it into the same directory as all my other openstack stuff, but i'm still getting an import error when the keystone code hits oslo.db18:52
*** david-lyle has quit IRC18:52
*** harlowja has joined #openstack-keystone18:52
*** harlowja has quit IRC18:52
dstanekstevemar: failing to import oslo.db?18:52
hrybackijamielennox: you around?18:53
dstanekstevemar: you may have to rebuild your tox env18:53
*** david-lyle has joined #openstack-keystone18:53
stevemardstanek, that will make my shoes sad18:53
*** harlowja has joined #openstack-keystone18:53
stevemardstanek, i just pip installed the latest version, seems to be all better18:54
bknudsonis git fetch working for people?18:54
bknudsonok, it finally worked18:55
joesavakstevemar - yo! : )18:55
stevemarjoesavak, i was just closing my laptop to get a coffee, catch you in 10 minutes?18:56
joesavaksure18:56
stevemarjoesavak, awesome, wanted to talk keystone specs stuff18:56
joesavakwoot.18:57
*** dims_ has joined #openstack-keystone18:57
*** dims has quit IRC18:58
*** stevemar has quit IRC18:58
*** ayoung has joined #openstack-keystone19:00
*** gordc has joined #openstack-keystone19:04
*** marcoemorais has quit IRC19:06
*** marcoemorais has joined #openstack-keystone19:06
*** marcoemorais has quit IRC19:06
*** marcoemorais has joined #openstack-keystone19:07
*** david-lyle has quit IRC19:08
*** david-lyle has joined #openstack-keystone19:08
*** david-lyle has quit IRC19:09
*** david-lyle has joined #openstack-keystone19:10
*** esmute has quit IRC19:10
*** fyb3r has joined #openstack-keystone19:15
fyb3rI need a little help with an error im getting. Currently im following the install guide on the site, on this http://docs.openstack.org/icehouse/install-guide/install/apt/content/glance-verify.html page. When I go to run glance image-create --name "cirros-0.3.2-x86_64" --disk-format qcow2 \   --container-format bare --is-public True --progress < cirros-0.3.2-x86_64-disk.img   after sourcing the OS_USERNAME:glance    OS_PASSWORD:password I us19:18
fyb3r401 Unauthorized19:18
fyb3rThis server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.19:18
fyb3rRequest returned failure status.19:18
fyb3rInvalid OpenStack Identity credentials.19:18
*** stevemar has joined #openstack-keystone19:19
fyb3rapi-log shows this:     2014-06-23 13:44:51.867 13342 INFO keystoneclient.middleware.auth_token [-] Invalid user token - deferring reject downstream,  2014-06-23 13:44:51.897 13342 INFO glance.wsgi.server [-] 10.1.10.150 - - [23/Jun/2014 13:44:51] "POST /v1/images HTTP/1.1" 401 381 0.03128019:19
fyb3rany help would be awesome ^_^19:19
*** esmute has joined #openstack-keystone19:25
hrybackiayoung, jamielennox: I'm digging around in https://github.com/openstack/python-glanceclient/blob/e6579f43cc39db0f2d640041477b66a011acff59/glanceclient/common/http.py#L74 -- but I'm not really sure how to get started with the port tbh19:28
*** erecio has quit IRC19:37
*** erecio has joined #openstack-keystone19:38
ayounghrybacki, lets start with the Horizon board:19:45
ayounghttps://trello.com/b/YamiJPl6/horizon-auth19:45
hrybackinods19:45
ayounghrybacki, OK ,so what I found was that they are doing wacky things with creating the client19:46
hrybackiokay'19:46
ayoungso the first thing to do is to19:46
ayoungah.....19:47
morganfainberglbragstad: couple minor comments on your validator patches19:47
hrybackiis that a question or lead up to a statement?19:47
ayoungyeah,  very different from theHorizon case19:47
ayoungHorzion already uses Keystone client19:48
ayoungin some ways, you might be in a better position19:48
ayoungOK...19:48
ayoungso, leaving the exisitng code in place, first thing is just create a keystoneclient session object...somewhere19:48
ayoungprobably where something would currently create an HTTPClient19:49
*** ajayaa has quit IRC19:49
openstackgerritJoe Savak proposed a change to openstack/keystone-specs: Implements: blueprint keystone-to-keystone-federation  https://review.openstack.org/10002319:49
openstackgerritJoe Savak proposed a change to openstack/keystone-specs: Spec to define cross-keystone federation  https://review.openstack.org/10198719:50
joesavakurg.19:50
ayounghrybacki, so,  um, it would seem that you would need to be able to create a glanceclient the same way that the keystone code creates a keystone client19:54
ayoungmake session an optional parameter, and if it is included use it to populate the values of the client19:55
ayounghrybacki, http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/client.py#n4219:56
hrybackiokay19:58
hrybackiso, leaving the glanceclient stuff that is currently there intact, create a new way of establishing a keystone client connection that can optionally be handed a session, yes?19:59
*** packet has quit IRC20:01
lbragstadmorganfainberg thanks!20:05
fyb3r>_> still dunno wha tto do about my problem20:05
openstackgerritA change was merged to openstack/keystone-specs: Always use a hash based Public ID for cross backend identifiers  https://review.openstack.org/10049720:07
hrybackiayoung: it's not a coincidence that https://github.com/openstack/python-glanceclient/blob/e6579f43cc39db0f2d640041477b66a011acff59/glanceclient/common/http.py looks remarkably similar to https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/httpclient.py is it?20:08
*** bknudson has quit IRC20:10
*** bknudson has joined #openstack-keystone20:11
hrybackiayoung: can you point fyb3r to somone who might be able to help with his error?20:11
fyb3r<#20:13
fyb3r<3 too20:13
*** jamielennox is now known as jamielennox|away20:16
fyb3rthough I believe Im finding my way around the service now and how to troubleshoot it ^_^ but help is always appreciated lol20:17
ayoungfyb3r, reading up20:19
*** stevemar2 has joined #openstack-keystone20:19
ayoungfyb3r, http://adam.younglogic.com/2013/07/troubleshooting-pki-middleware/20:20
fyb3rIll get on it. ty for the link20:21
hrybackiayoung++20:21
*** stevemar has quit IRC20:22
*** nkinder has joined #openstack-keystone20:28
*** daneyon has quit IRC20:30
fyb3rit seems the guide for icehouse and juno are pretty lacking with their info too. In combining the knowledge from the grizzly guide and icehouse / juno, i think I have it figured out lol20:30
*** nkinder_ has quit IRC20:32
hrybackifyb3r: the docs are seriously lacking =/20:33
fyb3rcant complain for free though :) mayhaps I should get off my butt and contribute to my findings20:33
hrybackinods, I have a list of numerous fixes to the docs -- haven't taken the time to figure out _where_ to go to request changes to them though20:34
*** marcoemorais has quit IRC20:36
*** marcoemorais has joined #openstack-keystone20:37
hrybackiayoung: should I be worried about the v1 client for glance or not?20:39
ayounghrybacki, I don't think so.  But worth finding out from the Glance community about that20:40
ayoung#openstack-glance probably20:40
hrybackiI pinged them earlier but got static back20:40
openstackgerritSteve Martinelli proposed a change to openstack/keystone-specs: Federating multiple Keystones  https://review.openstack.org/10002320:41
hrybackijust pinged them again20:41
hrybackiayoung: I still don't understand the purpose of the clients for each component exactly, why not just interact with the servers directly? How do they actually function in a real world setup?20:42
*** vhoward has joined #openstack-keystone20:43
ayounghrybacki, its what happens when you start coding:  just coding curl to the server...then you find common parts, refactor, and bam,  you have a whole Python API20:43
ayoungand each of the projects evolved a litle differently20:44
ayoungso we are trying to make sure that common part is really common20:44
ayoungespecially when it comes to security20:44
ayoungthey all need tokens, and have to go to keystone to get them20:44
ayoungthey should not each be writing that code from scratch20:44
ayoungadd in SSL and Kerberos and it all gets quite tricky20:44
hrybackiso in essence they are just API wrappers that communicate with their respective servers (the actual components)?20:45
hrybackido we want the glanceclient communicating with keystone to start a session or should that be going through a keystoneclient? all a bit confusing =/20:47
*** topol has quit IRC20:48
openstackgerritLance Bragstad proposed a change to openstack/keystone: Initial implementation of validator  https://review.openstack.org/8648320:48
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on Catalog V3 resources  https://review.openstack.org/9626620:48
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on Assignment V3 resources  https://review.openstack.org/8648420:48
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on Credential V3  https://review.openstack.org/9852220:48
stevemar2lbragstad, marekd|away dstanek gyee dolphm morganfainberg ayoung and whoever else i missed, i would appreciate eyes on https://review.openstack.org/#/c/100023/520:50
marekd|awaystevemar2: link again please?20:51
stevemar2marekd|away, https://review.openstack.org/#/c/100023/520:51
marekd|awaystevemar2: just lookin at it.20:51
marekd|awaystevemar2: did you somehow stayed in touch with Joe?20:52
stevemar2marekd|away, btw i got federation working with our product, is your SAML client stuff usable yet?20:52
stevemar2marekd|away, i did20:52
fyb3rwelp i lied, damn thing is still broken lol20:52
marekd|awaystevemar2: i think so.20:52
stevemar2marekd|away, expect me to test it out then :)20:52
marekd|awaystevemar2: sure thing.20:53
stevemar2marekd|away, any necessary config changes to shib?20:53
stevemar2maybe enable ECP ?20:53
stevemar2but thats it?20:53
marekd|awaystevemar2: yes, enable ecp and pretty much that's all.20:53
marekd|awaystevemar2: you know how to do it?20:53
stevemar2where do i type in the username and password :P20:53
marekd|awayECP="true" in one directive in shibboleth2.xml file.20:54
stevemar2marekd|away, i think it's just 1 value in mod_shib? if it's not, i would appreciate docs if you have them20:54
stevemar2yeah20:54
marekd|awaythat's one value.20:54
*** david-lyle has quit IRC20:54
marekd|awayuser/pass are arguments  for plugin auth.20:54
stevemar2cool20:54
marekd|awayi had a wrapper wround the plugins so one can execute from cmdline20:54
*** dims__ has joined #openstack-keystone20:54
stevemar2nice20:54
stevemar2good call20:54
stevemar2i look forward to trying it out!20:55
*** david-lyle has joined #openstack-keystone20:55
marekd|awaybut it's on my other computer so I can send it to you in 9-10h :/20:55
stevemar2lol20:55
stevemar2np20:55
stevemar2marekd|away, ttyl20:55
marekd|awayi wrote it on my knee so didnt bother with sharing among multiple devices etc ;/20:55
*** dims__ has quit IRC20:55
*** david-lyle has quit IRC20:55
*** dims__ has joined #openstack-keystone20:56
*** david-lyle has joined #openstack-keystone20:56
marekd|awaystevemar2: you'd better review protocols crud in keystoneclient :-)20:56
hrybackiWhat is the purpose of instantiating HTTPClient here: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/client.py#L19  if it isn't used elsewhere?20:57
*** dims_ has quit IRC20:57
marekd|awayok, gotta run.20:59
*** stevemar2 has quit IRC20:59
*** erecio has quit IRC21:00
dstanekhrybacki: it's not creating an instance - it's likely an alias so that other modules can import it directly from client.py21:01
hrybackiah21:02
dstanekhrybacki: based on the comment that's likely to be backward compatible21:02
hrybackiare a lot of things wonky to maintain backwards compatability?21:03
*** marcoemorais has quit IRC21:04
*** marcoemorais has joined #openstack-keystone21:04
dstanekhrybacki: i'm sure some things seem different. on the server side we have a deprecated decorator that we use for situations like this21:04
*** amcrn has quit IRC21:04
hrybackidstanek: okay, thank you, so much stuff to absorb21:05
fyb3rfound out curl http://localhost:35357/v2.0/certificates/signing is getting its connection refused 0,o21:06
*** hrybacki has quit IRC21:07
*** afazekas has joined #openstack-keystone21:10
*** david-lyle has quit IRC21:16
*** david-lyle has joined #openstack-keystone21:16
*** david-lyle has quit IRC21:17
*** david-lyle has joined #openstack-keystone21:20
fyb3rhttp://paste.openstack.org/show/84734/21:31
fyb3rive been trying to figure this our for just over 16 hours now, and im burnt on it. Not even really sure how to properly troubleshoot because of the vast amount of seemingly outdated docs 0,o any direct would be awesome21:31
dstanekfyb3r: is that from a glance log?21:35
*** joesavak has quit IRC21:36
fyb3rapi.log for glance, yes21:37
dstanekfyb3r: i'm not familiar with that :-(  is the token you specified valid?21:40
fyb3rim not specifying a token, which is what confused me lol21:40
dstanekare you using your credentials?21:41
fyb3rhttp://docs.openstack.org/icehouse/install-guide/install/apt/content/glance-verify.html following  this step currently in setting it up21:41
fyb3rim using the glance creds for the tenant: service21:42
fyb3ry21:42
fyb3roops misstype sry21:42
openstackgerritBob Thyne proposed a change to openstack/keystone-specs: Propose Specification for Endpoint Group Filter  https://review.openstack.org/10202321:43
dstanekfyb3r: do those credentials work directly against keystone?21:45
*** nkinder has quit IRC21:45
*** gordc has quit IRC21:49
*** jamielennox|away is now known as jamielennox21:51
*** lbragstad has quit IRC21:53
*** Dafna_away has quit IRC21:54
fyb3ryes they do21:54
fyb3rfor both admin and glance21:54
*** bobt has quit IRC21:55
fyb3rnow im just totally lost on what to do rofl. it makes no sense why it wouldnt authenticate if i can use glace with its credentials perfectly21:56
*** hrybacki has joined #openstack-keystone22:04
*** gordc has joined #openstack-keystone22:05
*** hrybacki has quit IRC22:05
*** hrybacki has joined #openstack-keystone22:05
openstackgerritPriti Desai proposed a change to openstack/keystone: Ignoring order of user list in TenantTestCase  https://review.openstack.org/10171222:05
*** gordc has quit IRC22:06
*** dstanek is now known as dstanek_zzz22:07
fyb3r>_> <_< >_<22:07
*** bknudson has quit IRC22:10
*** dstanek_zzz is now known as dstanek22:16
*** fyb3r has left #openstack-keystone22:26
openstackgerritJustin Shepherd proposed a change to openstack/keystone: Adding an index on token.user_id  https://review.openstack.org/10204122:31
*** marcoemorais has quit IRC22:35
*** marcoemorais has joined #openstack-keystone22:35
*** marcoemorais has quit IRC22:35
*** marcoemorais has joined #openstack-keystone22:36
*** marcoemorais has quit IRC22:36
*** marcoemorais has joined #openstack-keystone22:37
*** dstanek is now known as dstanek_zzz22:50
*** morganfainberg_L has joined #openstack-keystone23:12
*** morganfainberg has quit IRC23:12
*** morganfainberg_Z is now known as morganfainberg23:12
*** fyb3r has joined #openstack-keystone23:13
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Session loading from conf  https://review.openstack.org/9501523:18
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Session loading from CLI options  https://review.openstack.org/9567823:18
jamielennoxhey everyone - i really need to get some movement in keystoneclient. Please have a look at the following:23:19
jamielennoxhttps://review.openstack.org/#/c/8623723:19
jamielennoxhttps://review.openstack.org/9501523:19
jamielennoxhttps://review.openstack.org/9567823:20
*** amcrn has joined #openstack-keystone23:21
*** morganfainberg_L is now known as mdrnstm23:21
*** mdrnstm has quit IRC23:22
*** mdrnstm has joined #openstack-keystone23:22
*** morganfainberg has quit IRC23:22
*** mdrnstm is now known as morganfainberg23:22
*** morganfainberg_Z has joined #openstack-keystone23:22
*** marcoemorais has quit IRC23:23
*** marcoemorais has joined #openstack-keystone23:23
*** marcoemorais has quit IRC23:23
*** marcoemorais has joined #openstack-keystone23:24
fyb3rhttp://paste.openstack.org/show/84739/23:28
fyb3ri cant even find a log for that error23:33
fyb3ryeesh23:33
fyb3rcd23:34
morganfainbergjamielennox: +2 on the first one23:35
morganfainbergjamielennox: others look like they need rebase23:35
morganfainbergoh no the subsequent patches != the ones you linked :P23:35
morganfainbergnvm n the rebase23:35
*** oomichi has joined #openstack-keystone23:42
*** fyb3r has quit IRC23:44
*** david-lyle has quit IRC23:47
*** david-lyle has joined #openstack-keystone23:48
*** david-lyle has quit IRC23:52
*** xianghui has quit IRC23:59
« Sunday, 2014-06-22 Index Tuesday, 2014-06-24 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!