Thursday, 2014-10-30

« Wednesday, 2014-10-29 Index Friday, 2014-10-31 »
*** bknudson has quit IRC00:01
*** stevemar has joined #openstack-keystone00:02
*** alex_xu has joined #openstack-keystone00:03
*** gyee has quit IRC00:06
*** bknudson has joined #openstack-keystone00:16
*** alex_xu has quit IRC00:18
*** alex_xu has joined #openstack-keystone00:18
*** marcoemorais has quit IRC00:18
*** marcoemorais has joined #openstack-keystone00:19
*** marcoemorais has quit IRC00:19
*** marcoemorais has joined #openstack-keystone00:19
*** marcoemorais has quit IRC00:20
*** marcoemorais has joined #openstack-keystone00:20
*** cjellick has quit IRC00:22
*** _cjones_ has quit IRC00:40
*** jorge_munoz has quit IRC00:47
wanghongMay I have a +A on these two patches: https://review.openstack.org/#/c/127110/, https://review.openstack.org/#/c/128197/. They are simple and have had a +2 long time.00:52
*** stevemar has quit IRC01:01
*** stevemar has joined #openstack-keystone01:01
*** alex_xu has quit IRC01:02
*** david-lyle has joined #openstack-keystone01:03
*** HenryG has quit IRC01:04
*** HenryG_ has joined #openstack-keystone01:04
*** HenryG_ is now known as HenryG01:04
*** stevemar has quit IRC01:05
*** stevemar has joined #openstack-keystone01:05
*** marcoemorais has quit IRC01:06
*** dolphm has quit IRC01:07
*** lbragstad has quit IRC01:07
*** dtroyer has quit IRC01:07
*** Ephur has quit IRC01:07
*** dims__ has quit IRC01:08
*** d34dh0r53 has quit IRC01:08
*** lbragstad has joined #openstack-keystone01:08
*** marcoemorais has joined #openstack-keystone01:08
*** dims__ has joined #openstack-keystone01:08
*** rm_work has quit IRC01:08
*** hockeynut has quit IRC01:08
*** sigmavirus24 has quit IRC01:08
*** russellb has quit IRC01:09
*** mgagne has quit IRC01:10
*** dims__ has quit IRC01:13
*** dolphm has joined #openstack-keystone01:13
*** dims__ has joined #openstack-keystone01:13
*** d34dh0r53 has joined #openstack-keystone01:13
*** david-lyle has quit IRC01:13
*** Ephur has joined #openstack-keystone01:14
*** russellb has joined #openstack-keystone01:15
*** sigmavirus24_awa has joined #openstack-keystone01:16
*** dims__ has quit IRC01:17
*** hockeynut has joined #openstack-keystone01:21
*** lbragstad_ has joined #openstack-keystone01:21
*** mgagne has joined #openstack-keystone01:21
*** dtroyer has joined #openstack-keystone01:21
*** mgagne is now known as Guest7651101:21
*** Guest76511 is now known as mgagne01:22
*** mgagne is now known as Guest5133901:23
*** rm_work has joined #openstack-keystone01:23
*** shikui__ has quit IRC01:24
*** lbragstad has quit IRC01:26
*** lbragstad_ is now known as lbragstad01:26
*** chrisshattuck has quit IRC01:27
*** marcoemorais has quit IRC01:28
*** openstackgerrit has joined #openstack-keystone01:30
*** marcoemorais has joined #openstack-keystone01:36
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Change tenant to project  https://review.openstack.org/12706601:42
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Correct tests to use strings in conf  https://review.openstack.org/12865501:42
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Auth token supports deprecated names for paste conf options  https://review.openstack.org/12865601:42
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Change admin user to service user.  https://review.openstack.org/12707501:42
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Change occurrences of keystone to identity server  https://review.openstack.org/12706201:42
*** marcoemorais has quit IRC01:43
ayoungr1chardj0n3s, I tried running Angboard. The  UI rendered, but the AJAX call never returned01:46
ayoungRunning "watch" task01:48
ayoungWaiting...01:48
ayoungFatal error: spawn ENOENT01:48
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Change tenant to project  https://review.openstack.org/12706601:48
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Change admin user to service user.  https://review.openstack.org/12707501:48
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Fix paste config option conversion for auth options  https://review.openstack.org/13191401:48
ayoungr1chardj0n3s, I think that making fauxstack into a wsgi should be pretty simple, no?01:53
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: I18n  https://review.openstack.org/13128702:00
*** richm has quit IRC02:01
ayoungport :35729  eh02:02
openstackgerritSteve Martinelli proposed a change to openstack/pycadf: Add release notes  https://review.openstack.org/13191602:04
*** Kui has joined #openstack-keystone02:08
r1chardj0n3sayoung: hi, sorry, was napping.02:11
ayoungr1chardj0n3s, no problem02:11
r1chardj0n3sayoung: (seem to have caught a cold in time for Paris, yay!)02:11
ayoungI figured out part of it:  opened port :3572902:11
r1chardj0n3sayoung: fauxstack *is* a wsgi app, you just need to hook into it the correct way02:11
ayoungbut I think the real issue is fauxstack02:11
ayoungI run it like this:02:12
ayoung grunt serve --keystone-url=http://$HOSTNAME:5000/v2.002:12
r1chardj0n3swhat's that port for? is that liveReload?02:12
r1chardj0n3syep02:12
ayoungyeah02:12
openstackgerritSteve Martinelli proposed a change to openstack/pycadf: Add release notes  https://review.openstack.org/13191602:12
ayoungOK...so let me see what I get from Curl02:12
r1chardj0n3sright; could probably put in an option to turn it off if it breaks02:12
r1chardj0n3sbut it's too damn useful when developing ;)02:12
ayoungkeystone/RegionOne/02:13
ayoungjust seems to han on02:14
r1chardj0n3sif you want to run the proxy as a separate wsgi thing, then you could use fauxstack.main.proxy_app in a regular WSGI setup02:14
ayoung curl http://horizon.younglogic.net:9000/api02:14
*** david-lyle has joined #openstack-keystone02:14
ayounghow do I debug?02:14
r1chardj0n3sflask.log?02:14
r1chardj0n3sit should give you debug info on what the proxy is doing02:14
ayoungwhere is that stuck?02:14
r1chardj0n3scwd to the grunt serve command02:15
ayoungnothing there02:15
r1chardj0n3sthat would imply flask isn't even being started...02:15
ayoungwould that explain the ENOENT02:15
r1chardj0n3sdo you see "Logging to flask.log" in the grunt serve output?02:15
ayoungRunning "flask" task02:15
ayoungStarting Flask proxy server.02:15
ayoungRunning "watch" task02:15
ayoungWaiting...02:15
ayoungFatal error: spawn ENOENT02:15
ayoungFatal error: connect ECONNREFUSED02:15
ayoungFatal error: socket hang up02:15
ayoungFatal error: connect ECONNREFUSED02:15
ayoungFatal error: socket hang up02:15
r1chardj0n3syiles, yeah, wtf?02:16
r1chardj0n3sthat's the proxy failing to start up02:16
ayoungfauxstack?02:16
r1chardj0n3sENOENT ... hmm02:16
r1chardj0n3syeah02:16
ayoungso how can I run just the proxy?02:16
r1chardj0n3syep, so just:02:16
r1chardj0n3sactivate the venv02:16
r1chardj0n3s(.node-virtualenv)02:16
r1chardj0n3sand run "python run_fauxstack.py" to see if that works at all02:17
ayoungI'm missing .node-virtualenv02:18
r1chardj0n3sright, that should have been created with "npm install"02:18
r1chardj0n3splease run "npm install" and check for errors02:18
ayoungsudo npm install -g grunt-cli bower  ?02:18
r1chardj0n3suh, do you have Python 3.4?02:18
ayoungwhy sudo?02:18
r1chardj0n3sno02:18
*** lhcheng has quit IRC02:18
ayoung3.302:18
r1chardj0n3sin the install instructions, there's two npm install commands02:18
*** david-lyle has quit IRC02:19
r1chardj0n3sok, please git pull, I've just relaxed the python version requirement02:19
r1chardj0n3sI had it pinned to 3.4 rather unreasonably02:19
r1chardj0n3ssorry about that02:19
ayounghow do I do a clean setup no?02:20
ayoungnow02:20
r1chardj0n3sbut yeah, in the install, there's two npm installation invocations required, because some of the commands *must* be installed "globally" in /usr/local, but the rest can be local (node just doesn't have a venv solution like python, sadly)02:20
r1chardj0n3sjust re-run the install commands, should work02:20
ayoungk02:20
r1chardj0n3sthe three install commands in the README that is02:20
ayoung sudo npm install -g grunt-cli bower02:20
ayoung  ?02:20
ayoungOk02:20
r1chardj0n3syup02:20
r1chardj0n3sand the next two02:20
r1chardj0n3sjust to be sure02:20
ayoungthat is some scary listing02:20
r1chardj0n3sthey're smart enough to understand that stuff might already be installed02:21
ayoungis that all the 304s?02:21
r1chardj0n3syeah, node folk loves them their many, small dependencies02:21
r1chardj0n3syeah, there's caching up the wazoo02:21
ayoungOK, I see python3 stuff that seems to be working02:21
r1chardj0n3s\o/02:21
r1chardj0n3sagain, sorry about that 3.4 pinning02:22
r1chardj0n3s:(02:22
ayoungCreating /opt/angboard/.node-virtualenv02:22
ayoungno problem.  I ignored it at my own peril02:22
ayoung'swhat happens when you work roung midnight02:22
r1chardj0n3syeah02:22
ayoungRunning "watch" task02:23
ayoungWaiting...02:23
ayoungOK...let's see02:23
r1chardj0n3sayoung: thanks for giving it a go; if you have any comments about how to make stuff better I'd love to know :)02:23
ayoungSCHWEET!02:24
r1chardj0n3swin?02:24
ayounghttp://horizon.younglogic.net:9000/#/home02:24
r1chardj0n3s\o/02:24
ayoungOK,  how do I log out?02:24
r1chardj0n3sthere should be a logout link in the sidebar02:25
ayoungGot it02:25
ayoungI think the demo account is borked02:25
ayoungadmin works though02:25
r1chardj0n3sworks for me, though I don't know the password ;)02:25
ayoungr1chardj0n3s, OK...so where is the Keystone stuff?02:26
r1chardj0n3sI don't think I've actually had two people going thru the proxy at once - nice to know that bit works ;)02:26
ayoungHeh02:26
r1chardj0n3skeystone is implemented in app/scripts/controllers/keystone.js02:27
ayoungThis is the way Horizon should have been built from the Get go02:27
ayoungOK...let me see if I can make it work with V302:27
ayoungso we get domains, and Kerberos...02:27
r1chardj0n3sbut note, there's keystone login hacks in the proxy to cache the service catalog, I don't know whether that will need to change at all02:27
r1chardj0n3sthe service catalog caching is required so that the proxy can correctly map actions to the appropriate token-specific URLs that are in the catalog for each user :/02:28
ayoungyes it will02:28
ayounglet me look....all that is in fauxstack right?02:29
r1chardj0n3sin fauxstack/proxy.py02:29
ayoungshould be pretty similary02:29
ayoungthe service catalog looks the same02:29
r1chardj0n3s    # spy on serviceCatalog responses02:29
r1chardj0n3s    if service == 'keystone' and file == 'tokens' and \02:29
r1chardj0n3sthat bit :)02:29
ayoungso on V3 the login goes to /v3/auth/tokens02:30
ayounginstead of /v3/tokens02:30
ayoungand the response is...well different JSON02:30
r1chardj0n3swell, that's what versioning is for ;)02:31
ayoungyeah02:31
ayoungso I think the only thing that needs to change is02:31
ayoung# spy on serviceCatalog responses02:31
ayoungr1chardj0n3s, and we can use My javascript to show it...02:32
r1chardj0n3scool02:32
ayoungr1chardj0n3s, you have firebug installed, I suppose?02:32
r1chardj0n3serm, hang on, I'll start firefox :)02:33
ayoungheh...do that Kinit I had you do yesterday too02:33
r1chardj0n3syep02:34
ayoungpassword would work too, actually, but it would be good to show you the difference02:34
ayoungso02:34
ayounghttps://keystone.younglogic.net/keystone/cops/#  is a slightly different Keystone setup02:34
ayoungit actually talks to the same LDAP server as horizon.younglogic.net,  but I chose different defaults when setting it up, etc02:35
ayoungthe biggest difference with IPA/LDAP is that in this one the domain is YOUNGLOGIC.NET, whereas I had to drop the .NET for the one I'm demoing next week02:35
ayounganyway,  you remember how to get an unscoped token, then list tokens, then get a scoped token?02:36
r1chardj0n3sk02:36
r1chardj0n3syep, clicky clicky02:36
ayoungtake at look at the JSON response in firebug, and you'll see the diff in the scoped token02:36
*** alex_xu has joined #openstack-keystone02:37
ayounghttp://paste.fedoraproject.org/146372/41463671/02:38
ayoungtoken.catalog.endpoints02:38
ayoungtoken.catalog[0].endpoints  for Keystone02:39
r1chardj0n3syup02:39
r1chardj0n3sI must be missing something, I'm looking at the net traffic for the "Get Token" bit and there's no identifying information at all being POSTed to keystone, just {"auth":{"identity":{"methods":["kerberos"],"kerberos":{}}}}02:41
r1chardj0n3sI see a www-negotiate in response - I guess the krb plugin is doing magic?02:41
ayoungYep02:49
ayoungok,  here's what happens02:50
ayoungfirst, it sends the request with just the negotiate, and gets back the 40302:50
*** Kui has quit IRC02:50
ayoungthe first time that the browser gets the 403, it goes to the kerberser server (KDC) and gets  a service ticket02:51
ayoungthat service ticket has  enough info in it that only the user and the remote server can decrypt the data that gets sent...its a key sharing mechanism02:51
r1chardj0n3sah ok02:52
ayoungso that 403 has a challenge in it, and the browser uses the info in the ticket  to respond02:52
ayoungthe challenge tells the browser that the server is the right place, and the response does the same for the server02:52
ayoungits 2 way authentication02:52
ayoungwhich is a hell of a lot safer than sending your password to some (possibly Phished) site02:53
ayoungand getting back "Sure! come on in and give me your credit card while you are at it!"02:53
*** david-lyle has joined #openstack-keystone02:53
ayoungthere is a place on firebug you can see more details...I'm a lookin02:54
ayoungif you click get token you can quickly see the 401 (not 403, sorry)02:57
r1chardj0n3syeah, I see that flashing by :)02:57
ayoungthis one is set up with https02:58
*** david-lyle has quit IRC02:58
ayoungI didn't do that for horizon.younglogic.net yet02:58
ayounganywy,  first step is to get V3 working instead of v2, as that will let us do domains02:58
*** alex_xu has quit IRC02:58
r1chardj0n3sok02:59
r1chardj0n3sshouldn't be too hard02:59
ayoungthen next step is to be able to switch to kerberos for auth, and to deal with getting an unscoped token02:59
ayoungyour logic is based on SQL, where default project is set, and you always get a scoped token02:59
ayoungbut for LDAP, that is not going to be the case02:59
ayoungwithout a scoped token, you get no service catalog02:59
ayoungSo you could do something like this:02:59
ayoungget the token, look to see if it is scoped, if not, list projects (same base AUTH_URL) and select the first one03:00
ayoungthat is what Horizon does03:00
ayoungalso, you can use that list to populat a  drop down, and let people swap which token they have active.  But...03:00
ayoungthere is some issues with Policy, and we want to be able to let people select which token to use for what.  See, domain level operations require a domain token, and Horizon has no way to support that03:01
ayoungbut...that can be down the road03:02
r1chardj0n3sstill a bit of work to go then :)03:02
ayoungthis is cool....very cool03:02
ayoungnkinder, are you still awake?03:02
nkinderayoung: yep03:02
ayoungnkinder, I've got the javascript code that r1chardj0n3s wrote up and running here:03:02
ayounghttp://horizon.younglogic.net:9000/#/home03:02
nkinderayoung: angboard?03:02
ayoungnkinder, yes03:02
ayoungnkinder, give a sec03:02
ayoungserver keeps keicking me out and killing the webserver03:03
ayoungoh, wait, getting address already in use, maybe it didn't kill it?03:03
nkinderayoung: it's up03:03
*** david-lyle has joined #openstack-keystone03:04
ayoungnkinder, tenant = admin, user = admin,  same password as you've been using03:04
ayoungnkinder, we were just discussing the steps to Kerberos.  Shouldn't be too bad03:04
nkinderI like that I can see my token contents03:05
ayoungnkinder, so he has a proxy running called fauxstack.  It routes all of the traffic through one server03:05
ayoungso, would still be S4U2 I think03:05
nkinderayoung: what about the other approach we were discussing about handing a token off to the dashboard?03:06
ayoungnkinder, its basically the same thing03:07
nkinderthat could get us SAML and other federation schemes03:07
ayoungthis could do it as well...probably could use the same Javascript03:07
ayoungBoth are using Angular.js03:07
*** david-lyle has quit IRC03:08
ayoungnkinder, we could still drop the proxy and go direct to Keystone, it just brings in all of the CORS requirements to do that03:08
r1chardj0n3syeah, ugh, cors03:09
ayoungthis lets the Javascript development move forward without solving CORS up front03:09
r1chardj0n3sthere's also the cookie thing which makes working with swift a lot easier03:09
ayoungr1chardj0n3s, I'm trying to make that a feature of auth_token middleware so we can do it with all of the services03:10
r1chardj0n3sayoung: you're still trying to push that?03:10
ayoungthe cookie thing?  Just one of many irons in the forgre03:10
*** openstackgerrit has quit IRC03:10
r1chardj0n3soh, wait, cookie as a middleware thing, not CORS?03:11
r1chardj0n3s:)03:11
ayoungr1chardj0n3s, don't forget we have many use cases03:11
ayoungyeah03:11
ayoungCORS too, though03:11
r1chardj0n3sI like that plan a lot then :)03:11
*** radez is now known as radez_g0n303:11
ayoungI think we will need it eventually03:11
ayoungthere are use cases that call for it, but it doesn't need to be a blocker03:11
r1chardj0n3sthe single-point thing that the proxy provides is also nice 'cos you only need one SSL certificate :)03:11
nkinderlooks like great weather for paris... rain Sun-Wed03:12
r1chardj0n3sgreat weather for indoors activities, which I anticipate spending most of my time in03:12
ayoungr1chardj0n3s, OK,  so what would I need to do to convert what you have to mod_wsgi?03:12
*** alex_xu has joined #openstack-keystone03:12
r1chardj0n3sfind a way to use fauxstack.main.proxy_app03:12
ayoungFlask is the web server, right?03:12
r1chardj0n3sproxy_app gives you a wsgi app03:13
ayoungok,  lets say this is going on https://angboard.younglogic.net03:13
ayoungstatic code goes03:13
ayoung/var/www/html?03:13
r1chardj0n3s"grunt build" and then yeah, put the contents of dist in there03:14
ayounghmmm.03:14
*** dims__ has joined #openstack-keystone03:14
r1chardj0n3s(that's "for realisies" deployment, not dev)03:15
ayoungthat is basically thre app subdir03:15
r1chardj0n3sand all the supporting js/css minified etc03:15
ayoungthen we'd need a wsgi file in /var/www/cgi-bin03:16
ayoungis that run_flask?03:16
ayoungduh no03:16
ayoungrun_fauxstack03:16
r1chardj0n3sjust use mod_wsgi?03:16
r1chardj0n3sto serve /api03:16
ayoungyeah03:16
ayoungbut mod_wsgi needs a single entrypoint, like03:16
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/httpd/keystone.py03:17
ayoungthat is what we use for keystone03:17
r1chardj0n3sright, so maybe someone needs to add paste support so it can be configured reasonably?03:17
ayoungit only requires the AUTH_URL from Keystone as a config value, right?03:17
r1chardj0n3sto be honest, I haven't given much thought to deployment; it's low on the priority list for a prototype :)03:17
r1chardj0n3slogging should also be configured03:18
r1chardj0n3sI guess03:18
ayoungyeah, just to get a demo up that I don't have to worry about crashing03:18
ayoungalso, I need it done "right" for Kerberos support03:18
*** dims__ has quit IRC03:19
ayoungr1chardj0n3s, I'd be OK with Hardcoding the URL to start.  I just need it in mod_wsgi03:20
r1chardj0n3syup03:20
ayoungso could we use fauxstack/main.py?03:20
ayoungor probably could merge that and proxy into just fauxstack.py03:21
r1chardj0n3sthe intention is that fauxstack grows to be able to actually fake API interaction03:21
r1chardj0n3sthat's why it's split03:21
ayoungah, so we could have a static impl03:21
r1chardj0n3syah03:22
ayoungI wonder if we could make it kindof a light Keystone...none of the admin functions, just the issue token piece03:23
ayoungwould clean up all of the SSO Kerberos stuff03:23
r1chardj0n3sit'll probably have to have some smarts like that, yeah03:24
ayoungI kindof want to make the token issuing its own pipeline anyway03:24
ayoungwe could, in theory, build that pipeline and fauxstack into one service03:24
r1chardj0n3swhen do you arrive in Paris, btw>03:24
r1chardj0n3s?03:24
ayounglet me chack03:24
ayoungArrives on Nov 2, 201403:26
ayoungCDG 8:35am03:26
r1chardj0n3sok, cool. there's a horizon gathering in the Meridien bar at 8pm if you're awake :)03:27
ayoung"Its a rainy night in Paris and I'm sitting by the Seine...it's a pleasure to be soaking in the European rain..."03:27
ayoungr1chardj0n3s, You still look like your profile picture?03:28
r1chardj0n3syup03:28
ayounghttps://www.flickr.com/photos/andy47/3086126760/in/faves-richard_jones/03:28
r1chardj0n3syep, that's me03:29
r1chardj0n3sand I still likes games03:29
r1chardj0n3s;)03:29
ayoungcool. nkinder didn't want to tell me what he looked like last summit.  If he wasn';t standing next to one of our co-workers that I did not (and grinning like a Cheshire Cat)  he would have gotten away with it.03:30
ayoungI'll bring my Go board03:30
r1chardj0n3s:)03:30
r1chardj0n3sdoes make it difficult :)03:30
r1chardj0n3sI'm packing three boardgames :)03:30
ayoungDo you play Go?03:30
r1chardj0n3snup, never did get into it. have a board, but don't play it03:30
ayoungK...once it grabs you...it gets you hard03:30
ayounglayers upon layers03:31
r1chardj0n3s:)03:31
ayoungMy son recently got a game I bet you'd like03:31
ayounghttp://www.educationalinsights.com/product/check+math!--174-+game.do03:31
*** dguerri has quit IRC03:32
r1chardj0n3slooks neat03:32
ayoungIts like an intro to number theory.  I still haven't figured out a strategy03:32
r1chardj0n3s:)03:32
ayoungyeah,  10 pieces, each with a number 1 to 1003:32
r1chardj0n3smy daughter quite likes her numbers. hmmm.. :)03:32
ayounga piece can only move onto a multiple of itself03:32
ayoungso 1 can move anywhere, and 10 is restricted to the 10s column03:33
ayoungits when you realize that common multiples are the strategic spaces that gets your head spinning03:33
ayoungmy 8 year old routinely beats me at it, and I'm not throwing the game when he does03:34
ayoungwhat are you bringing?03:34
r1chardj0n3ssorry, was lost trying to figure out the shipping on that ;)03:35
r1chardj0n3sI'll be bringing Dominion, Sentinels of the Multiverse, Lover Letter and Hanabi03:36
r1chardj0n3sa bunch of my co-workers will be bringing games as well. we coordinated so we didn't double-up :)03:36
*** anteaya has quit IRC03:37
*** anteaya has joined #openstack-keystone03:45
ayoungsounds good.  I'm headed to bed.  Oh, and I'll be bringing a Tenor Sax.  Just cuz.03:56
ayoungGnight03:56
*** ayoung is now known as ayoung-Zzzz03:56
*** david-lyle has joined #openstack-keystone04:04
*** david-lyle has quit IRC04:09
*** gokrokve has joined #openstack-keystone04:18
*** vsilva is now known as victsou04:35
*** victsou is now known as vsilva04:35
*** marcoemorais has joined #openstack-keystone04:38
*** marcoemorais1 has joined #openstack-keystone04:40
*** marcoemorais has quit IRC04:43
*** oomichi_ has joined #openstack-keystone04:54
*** kevinbenton has quit IRC04:57
*** gokrokve has quit IRC05:01
stevemarr1chardj0n3s, hanabi is a very fun game, get to see folks stress out :)05:04
*** david-lyle has joined #openstack-keystone05:05
r1chardj0n3sstevemar :)05:07
stevemarr1chardj0n3s, i think i'll bring my copy of hanabi too, it's small enough to fit in the suitcase05:07
stevemarand maybe timeline too05:07
r1chardj0n3s\o/05:08
r1chardj0n3sno idea when we'll fit gaming in, but we're keen :)05:08
*** samuelms_home has quit IRC05:08
*** vsilva is now known as victsou05:09
*** david-lyle has quit IRC05:09
stevemari'm sure we can squeeze some in05:10
*** victsou is now known as vsilva05:10
*** samuelms_home has joined #openstack-keystone05:10
*** dims__ has joined #openstack-keystone05:16
*** lhcheng has joined #openstack-keystone05:19
*** dims__ has quit IRC05:21
*** lhcheng has quit IRC05:23
*** alex_xu has quit IRC05:28
*** alex_xu has joined #openstack-keystone05:28
*** harlowja is now known as harlowja_away05:30
* morganfainberg is back-ish05:45
morganfainbergfinally.05:45
*** ajayaa has joined #openstack-keystone05:48
*** stevemar has quit IRC05:50
*** lhcheng has joined #openstack-keystone05:58
*** david-lyle has joined #openstack-keystone06:06
*** david-lyle has quit IRC06:10
*** kevinbenton has joined #openstack-keystone06:11
*** ajayaa has quit IRC06:33
*** ajayaa has joined #openstack-keystone06:35
*** k4n0 has joined #openstack-keystone06:37
*** ajaya has joined #openstack-keystone06:47
*** wanghong has quit IRC06:51
*** gokrokve has joined #openstack-keystone06:52
*** wanghong has joined #openstack-keystone07:01
*** david-lyle has joined #openstack-keystone07:07
*** nellysmitt has joined #openstack-keystone07:09
*** david-lyle has quit IRC07:11
*** ajayaa has quit IRC07:13
*** ajaya has quit IRC07:14
*** ajayaa has joined #openstack-keystone07:14
*** samuelms_home has quit IRC07:30
*** lhcheng has quit IRC07:35
*** tomoiaga has joined #openstack-keystone07:48
*** david-lyle has joined #openstack-keystone08:08
*** david-lyle has quit IRC08:12
*** dims__ has joined #openstack-keystone08:18
*** dims__ has quit IRC08:23
*** afazekas_ has quit IRC08:26
*** jaosorior has joined #openstack-keystone08:32
*** aix has joined #openstack-keystone08:43
*** afazekas_ has joined #openstack-keystone08:46
*** afazekas has quit IRC08:47
*** marekd|away is now known as marekd08:47
*** jistr has joined #openstack-keystone08:59
*** david-lyle has joined #openstack-keystone09:08
*** david-lyle has quit IRC09:13
*** alex_xu has quit IRC09:24
*** oomichi_ has quit IRC09:49
*** henrynash has quit IRC09:54
*** marcoemorais1 has quit IRC09:55
*** mitz_ has quit IRC09:56
*** mitz_ has joined #openstack-keystone09:57
*** david-lyle has joined #openstack-keystone10:09
*** david-lyle has quit IRC10:14
*** dims__ has joined #openstack-keystone10:20
*** dims__ has quit IRC10:25
*** KanagarajM has joined #openstack-keystone10:46
*** dims__ has joined #openstack-keystone10:55
*** henrynash has joined #openstack-keystone11:03
*** yasu_ has joined #openstack-keystone11:09
*** yasu_ has quit IRC11:15
*** vb123 has quit IRC11:15
*** vb123 has joined #openstack-keystone11:16
*** tellesnobrega has joined #openstack-keystone11:34
*** jdennis has quit IRC11:38
*** KanagarajM has quit IRC11:47
*** vb123 has quit IRC11:48
*** amakarov_away is now known as amakarov11:49
*** miqui has joined #openstack-keystone12:15
*** jistr has quit IRC12:33
thiagopHello henrynash. Have you had time to take a look on the PoC of Horizon using the endpoint policy?12:35
*** ayoung-Zzzz is now known as ayoung12:42
*** jamielennox|away is now known as jamielennox12:44
*** topol has joined #openstack-keystone12:48
*** vejdmn has joined #openstack-keystone12:48
*** dims__ has quit IRC12:51
*** dims__ has joined #openstack-keystone12:51
*** vejdmn has quit IRC12:52
*** vejdmn has joined #openstack-keystone12:52
*** bknudson has quit IRC12:55
*** thiagop has quit IRC12:56
*** breton has quit IRC12:57
*** thiagop has joined #openstack-keystone12:57
*** jistr has joined #openstack-keystone12:57
*** jistr is now known as jistr|biab12:57
*** breton has joined #openstack-keystone12:57
*** gordc has joined #openstack-keystone12:58
*** vhoward has joined #openstack-keystone13:09
*** david-lyle has joined #openstack-keystone13:11
*** david-lyle has quit IRC13:11
*** david-lyle has joined #openstack-keystone13:11
*** richm has joined #openstack-keystone13:12
*** david-lyle has quit IRC13:14
*** bknudson has joined #openstack-keystone13:16
*** boris-42 has joined #openstack-keystone13:25
*** vejdmn has quit IRC13:25
*** vejdmn has joined #openstack-keystone13:26
*** vejdmn has quit IRC13:33
*** vejdmn has joined #openstack-keystone13:33
*** ajayaa has quit IRC13:36
*** jistr|biab is now known as jistr13:38
*** stevemar has joined #openstack-keystone13:48
*** vejdmn has quit IRC14:00
*** stevemar has quit IRC14:01
*** dims_ has joined #openstack-keystone14:02
*** ajayaa has joined #openstack-keystone14:03
*** sigmavirus24_awa is now known as sigmavirus2414:04
*** vejdmn has joined #openstack-keystone14:05
*** dims__ has quit IRC14:05
*** dims_ has quit IRC14:07
*** radez_g0n3 is now known as radez14:08
*** nellysmitt has quit IRC14:10
*** Deep_ has joined #openstack-keystone14:12
Deep_Hello, I am getting following error while creating service in keystone with postgresql 2014-10-30 18:41:00.524 32196 INFO eventlet.wsgi.server [-] (32196) wsgi starting up on http://0.0.0.0:35357/ 2014-10-30 18:41:08.161 32058 WARNING oslo.db.sqlalchemy.session [-] SQL connection failed. 1 attempts left. 2014-10-30 18:41:18.172 32058 CRITICAL keystone [-] DBConnectionError: (OperationalError) (2003, "Can't connect to MySQ14:13
Deep_what i am missing here ?14:14
*** david-lyle has joined #openstack-keystone14:14
ayoungnkinder, I want to do a python-ldap call with system defaults for gssapi.14:15
ayoungthe equivalent of a ldapmodify -X gssapi14:15
ayoungmake that -Y14:16
*** vejdmn has quit IRC14:18
*** vejdmn has joined #openstack-keystone14:19
*** david-lyle has quit IRC14:19
*** raildo has joined #openstack-keystone14:22
jamielennoxDeep_: it looks like your database connection sttring in keystone.conf is wrong14:24
jamielennoxi an't remember what the string is but if it's postgres it should start with postgres:// or something similar to indicate the driver type14:24
*** ajayaa has quit IRC14:25
Deep_connection = postgresql://keystone:Passw0rd@localhost/keystone14:26
*** vejdmn has quit IRC14:26
Deep_this is my string in the keystone.conf. db_sync is working fine14:26
*** vejdmn has joined #openstack-keystone14:27
Deep_but while adding the service it is failing , few more msg 2014-10-30 19:53:38.445 1791 ERROR keystone.common.wsgi [-] (OperationalError) could not connect to server: Permission denied         Is the server running on host "dgnode2" (192.168.122.32) and accepting         TCP/IP connections on port 5432?  None None14:28
Deep_i also added host all all 0.0.0.0/0 md5 in pg_hba.conf14:31
*** k4n0 has quit IRC14:34
*** stevemar has joined #openstack-keystone14:36
*** aix has quit IRC14:37
*** vhoward has left #openstack-keystone14:37
*** saipandi has joined #openstack-keystone14:39
*** tomoiaga has quit IRC14:41
jamielennoxDeep_: weird - i was more going on the "can't connect to mysql" string being an issue14:43
jamielennoxif you start up keystone with --debug does it list the correst string?14:43
*** andreaf has joined #openstack-keystone14:46
*** aix has joined #openstack-keystone14:51
*** miqui has quit IRC14:51
*** david-lyle has joined #openstack-keystone14:55
*** thedodd has joined #openstack-keystone14:57
*** Deep_ has quit IRC14:59
*** andreaf has quit IRC15:00
*** henrynash has quit IRC15:07
*** david-lyle has quit IRC15:07
*** david-lyle has joined #openstack-keystone15:08
*** jorge_munoz has joined #openstack-keystone15:11
marekdstevemar: hey. What version of osc do you think will have all the code required for federated authentication?15:15
marekd0.4?15:15
marekd0.4?15:15
marekd0.5 ?15:15
stevemaro/15:15
marekd\o15:15
stevemarwhat are we at now?15:15
stevemar0.4.1 apparently15:16
stevemarthen 0.5 will have it15:16
stevemardtroyer, yo15:16
marekdok15:16
marekdthat's enough for me.15:16
stevemardtroyer, thoughts on cutting a new OSC? cc marekd15:16
stevemardtroyer, we were already talking about it before15:16
stevemarmarekd, what else needs to land15:16
marekdstevemar: did listing  federated projects/domains land?15:17
stevemarmarekd, i played with creating a protocol+mapping+idp last night :) it was great, +1 for less curls15:17
marekdi was out of sync for a little bit.15:17
stevemarmarekd, nope! but it's close15:17
stevemarmarekd, is that it? any more authN bits?15:17
marekdstevemar: ok, so this is something that needs to land.15:17
marekdno.15:17
marekdstevemar: dude, I freely utilize clouds with SAML :-)15:17
marekdand with osc i merged myself. It is indeed nice15:18
*** chrisshattuck has joined #openstack-keystone15:18
marekdreally great job /cc mhu15:19
stevemari'm so jealous you get to actually use it :)15:23
stevemarmarekd, i had 1 comment, i'll fix it and then +215:23
stevemarwe've been meaning to get a new release out anyway15:23
*** gokrokve has quit IRC15:24
stevemarmarekd, https://review.openstack.org/#/c/124101/ if you would be so kind15:28
*** vsilva has quit IRC15:29
*** chrisshattuck has quit IRC15:30
mhumarekd, stevemar : nice !15:30
mhumarekd, I am currently toying with django_openstack_auth to add ksc sessions + auth plugins15:32
mhuthe idea is to let the user choose the authentication method on the login form among preselected ones15:32
mhuso with your saml wrapper plugin some form of SAML auth would be possible in Horizon15:33
marekdmhu: it's a first step for websso?15:33
marekdmhu: i think it's more complicated15:33
*** cjellick has joined #openstack-keystone15:34
marekdthan that15:34
mhumarekd, no, it's actually15:34
marekdstevemar: looking15:34
mhumainly to support auth plugins15:34
mhumarekd, agreed, it'd be some limited form of SAML auth15:35
*** mitz_ has quit IRC15:35
marekdmhu: have you thought through whole workflow?15:35
marekdKeystone and Horizon are separate entities.15:36
marekdyou want Hoizon to be a SP, while it's keystone who need to be it.15:36
*** _cjones_ has joined #openstack-keystone15:38
mhumarekd, what I am doing won't fit in that workflow, it's really a limited form of SAML auth. :) It'll be a bit like a pretty GUI frontend for osc, in a way15:38
mhuso no redirection to the IdP from Horizon, etc15:39
marekdmhu: ok, i assume you know the stuff15:39
*** lcurtis has joined #openstack-keystone15:45
lcurtishello all...when setting up keystone originally i forgot to add in provider = keystone.token.providers.uuid.Provider15:46
lcurtisdriver = keystone.token.persistence.backends.sql.Token in keystone.conf15:46
lcurtisran into probs with glance, so double-checked docs, then added these lines in under token15:47
lcurtisnow when i start keystone i get ImportError: No module named persistence.backends.sql15:47
lcurtisseems to be okay if i remove driver = keystone.token.persistence.backends.sql.Token15:48
lcurtisis this critical?15:48
*** gokrokve has joined #openstack-keystone15:50
mhulcurtis which version of keystone are you deploying ?15:51
lcurtis1:2014.1.3-0ubuntu215:52
mhulcurtis, so it's icehouse, and in this version the driver is keystone.token.backends.sql.Token15:53
lcurtisah..okay15:54
lcurtiswow..thank u so much15:54
lcurtisi was reading juno docs15:54
lcurtisu saved me much headache15:55
lcurtisgreatly appreciated15:55
mhulcurtis, you're welcome ! I guess it's a common error to look at the wrong doc version15:58
amakarovayoung, morganfainberg, dstanek, good day! I've modified trust redelegation patch https://review.openstack.org/126897 and started docs: https://review.openstack.org/131541 Can you please review it once more?15:59
ayoungwill do amakarov15:59
lcurtisyes...switching back and forth and pulling up docs...stopping and starting installation15:59
amakarovayoung, I'd really appreciate any directions about specs writing - never done it this way before )) Is there any guide available?16:00
ayoungamakarov, we are all just figuring this stuff out16:01
ayoungall that we have is the template.rst16:01
amakarovayoung, telepate_mode=on then ))16:03
ayoungheh16:03
ayoungpate is a term for the top of the head...I'm thinking of some dude with an old style phone growing out of there16:04
*** marcoemorais has joined #openstack-keystone16:05
*** jorge_munoz has quit IRC16:05
amakarovayoung, :D16:05
amakarovayoung, btw about that Popen issue: I found your 2 year old thread about eventlet or vanilla subprocess.Popen usage16:08
ayoung++16:09
*** chrisshattuck has joined #openstack-keystone16:09
amakarovDid you try to inspect the call stack in order to determine current mode?16:10
ayoungamakarov, since we are moving to HTTPD, we can do something smarter at least on the Keystone side16:10
bknudsonwe've already moved to httpd.16:10
ayoungamakarov, I don't remember. Probably16:10
ayoungbknudson, not everyone has16:10
ayoungbknudson, but...there is the "ensure_popen" thing that we could use to select how to setup the cms call...16:11
ayoungbased on the env call...didn't you work on that?  or was it jamielennox ?16:11
amakarovayoung, I thought about it: we can write wsgi app or even apache extention to proxy HTTP call to library function16:11
*** afazekas_ has quit IRC16:11
*** chrisshattuck has quit IRC16:11
amakarovand let httpd take care about parellelism16:12
jamielennoxayoung: ?16:12
ayoungsorry to ignore, but I'm working on something on a screen that locks me out if I don;t respond quickly...and I need to get it done16:12
ayounggive me a few mintes16:12
*** chrisshattuck has joined #openstack-keystone16:12
*** gyee has joined #openstack-keystone16:17
marekdmhu: OS_AUTH_PLUGIN is no longer supported?16:21
mhumarekd, the name was changed, it's OS_AUTH_METHOD now IIRC16:22
marekdmhu: ah-ha16:22
marekdso maybe we could reflect that change in the doc?16:22
marekdits missing now16:22
marekdhttp://pasteraw.com/3n85581vzt1vhjlzszx3w3onwsw4hgc16:23
mhumarekd, you mean the help message when running openstackclient --help ?16:24
mhuor the man page ?16:24
morganfainbergmorning.16:29
*** dims__ has joined #openstack-keystone16:33
*** topol_ has joined #openstack-keystone16:33
mhumarekd, thx16:33
*** topol has quit IRC16:33
marekdmhu: openstack -h16:33
*** topol_ is now known as topol16:33
marekdOS_AUTH_PLUGIN was changed to OS_AUTH_TYPE and it was not documented anywhere (openstack -h didn't reflect this)16:34
ayoungOK...16:35
ayoungjamielennox, I was just thinking that we could avoid using popen alltogether based on the environment setup16:35
*** ericpeterson has joined #openstack-keystone16:36
jamielennoxayoung: oh - yea, probably16:36
jamielennoxmarekd: oh this is OSC?16:36
ericpetersonquestion from Horizon developer on primary project for a user.   Is that going away at some point?16:36
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/httpd/keystone.py#n4616:36
mhumarekd, seeing as OS_AUTH_PLUGIN was never exposed in a tagged version of osc AFAIK, the change is not really critical, but the option should be documented nevertheless16:36
ayoungericpeterson, sortof16:36
jamielennoxmhu: ah, i've been meaning to find you - i am going to try and do a big overhaul of OSC handling of plugins16:36
*** gokrokve has quit IRC16:37
ayoungericpeterson, when you have an LDAP backend, you can't count on that value being present16:37
ericpetersonwould like to have horizon respect that setting on initial login16:37
jamielennoxmhu: there is a whole heap of stuff that we provided in ksc so that all this stuff was standardized and OSC went and did it themselves16:37
amakarovayoung, imho straitforward way is to use one or another depending on current stack16:37
ayoungericpeterson, there are some other ugly related issues16:37
marekdjamielennox: yes, we are talking about OSC16:37
marekdmhu: i could see it in help msg before.16:37
jamielennoxmhu: this is how i would like it to look https://review.openstack.org/#/c/131804/16:37
ayoungfor example, with cloud-policy, you need to use a domain scoped token to do domain level operations16:37
ericpetersonmaybe if it's there then use it, otherwise the current random behavior stays?16:37
mhujamielennox, cool, I'll give it a look16:37
jamielennoxthere is no reason i can think that OSC should be using stevedore etc16:38
ayoungericpeterson, more like this:16:38
ayoungericpeterson, first, get an unscoped token16:38
ayoungalways16:38
ayoungthen, always conver unscoped to scoped16:38
*** lhcheng has joined #openstack-keystone16:38
jamielennoxdirectly rather than using ksc supported stuff - if we want to use OS_AUTH_TYPE instead of OS_AUTH_PLUGIN (i admit a better word) then i would like to make that change in ksc so that it will be picked up by all the clients16:38
ayoungcuz in keystone, we are going to make that a requirement: no more scoped to scoped token exchanges16:38
mhujamielennox, to be honest I wasn't very familiar with stevedore so I just went with what I got working through trial and error :)16:38
david-lylebut in the unscoped token, default project isn't present is it?16:39
jamielennoxmhu: are you at summit?16:39
ayoungdavid-lyle, that is correct, you would have to make an additional query16:39
marekdjamielennox: i was also asking if osc should manage ksc plugins and load them from stevedore.16:39
mhujamielennox, yes, if all goes well16:39
ayoungwe might be able to shoehorn that info in to the unscoped token, but ugh16:39
jamielennoxmhu: all goes well? cutting that a little fine :)16:39
ericpetersonhave to possibly get 3 tokens to finally arrive, oh joy david-lyle16:39
marekdmhu: why would you miss it? it's 10 mins from your house?16:39
ayoungericpeterson, no, just two16:40
jamielennoxmarekd: i don't think it should - it should just rely on KSC16:40
ayoungericpeterson, todaym a user can't even set his own default project. we should just let you guys maintain that info16:40
mhumarekd, I might have to guard the house at enovance :) but yeah, I'd be very surprised if I can't go16:40
*** ChanServ sets mode: +o dolphm16:40
david-lyledo I have access to the default project call with a domain-scoped token16:40
marekdjamielennox: that's what i once said afair16:40
jamielennoxmhu: ok - well we can talk about it there, but essentially i don't think you should do everything via stevedore. Stevedore is good for when people know the plugin they want to load specifically16:41
ayoungdavid-lyle, it won't be in the token data16:41
ayoungyou could get it with an additional call.16:41
jamielennoxif you are doing things like a default, or you want to use token_endpoint (which we already have in keystoenclient) then you can refer to those classes directly16:41
ayoungdavid-lyle we could do something interesting like this:16:41
jamielennoxalso the problem with the way it works now is that OSC is going to get additional --help entries for every plugin that gets installed on the system16:41
david-lyleayoung: understand that, question is, with a unscoped token can I get that info?16:42
ericpetersonayoung I think david-lyle and I are looking for APIs that we have today16:42
ayoungdavid-lyle, the more I think about this, the more complex it gets16:42
ayoungthe short answer is, maybe16:42
david-lyleso you're saying there's a chance16:42
ayoungso from an unscoped token, you pull the userid out, and then do a get user on that16:42
ayoungand the default project, if it exsits, would be in there16:43
ericpetersonseems kinda wierd that keystone has the default project (at least sometimes)..... and we don't get that out of an initial token16:43
ayoungwith the policy files as we've written them , I think so. let me look16:43
ayounghttps://github.com/openstack/keystone/blob/master/etc/policy.json#L41  get_user is admin_required16:43
ayoungand we are moving to16:43
ayounghttps://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L4816:44
mhujamielennox, but shouldn't the plugin options be listed through --help ?16:44
ericpetersonthat's unfortunate16:44
ayoung "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",16:44
ayoungthere is no "get my info" call16:44
jamielennoxmhu: maybe - i was thinking of that, but if so i think it should be done via KSC16:44
ericpetersonkeystone knows more about me than I do, it seems ;)16:44
lhchengayoung: for unscoped token doesn't it default to the default project in v3? or are you taking that out?16:44
ayoungbut... we can make something work here.  Since the LDAP case is already broken, and we know that domain admin is broken, lets ask:  what do we need16:44
jamielennoxmhu: so keystoneclient has auth.register_cli_options (or something), if we want that we should have KSC iterate through the plugins and add that info to --help16:45
ayoungand I think the answer is along the lines of jamielennox 's propsal to return a limited service catalog in an unscoped token16:45
david-lyleayoung: what are you doing about the admin_domain_id value in the second, tangent16:45
mhujamielennox, oh right, makes sense ... that's obviously stuff that could be reused in other clients16:45
ayoungI think we need 2 things16:45
ayoung1.  figure pout where user preferences should live16:45
jamielennoxmhu: ++, as much as possible i want OSC to be 'just another CLI', standardize this as much as possible16:45
ayoung2.  figure out what data to return with an unscoped token16:45
mhujamielennox, and this is already covered in ksc ? if so, pretty cool16:45
mhujamielennox, totally agree16:46
jamielennoxmhu: registering yes, it doesn't add the available plugins to --help at the moment16:46
ayoungdavid-lyle, yeah, I don't know about  admin_domain_id...that one is the kicker16:46
david-lyleayoung: big +1 on both from me16:46
ericpetersonayoung horizon already has some limited preferences that we take care of.   but if this setting is going to exist in keystone, it needs to actually do something useful16:46
jamielennoxmhu: i don't know what the cost of that is because you would have to iterate through stevedore all the available names and add them to the option - and it may never be used16:46
ericpetersonso I'd say the initial token should have some pointer to the default project16:47
david-lyleericpeterson: I'd rather the preferences live in keystone, if it's supported16:47
david-lyleor access to the user_preferences API call16:47
jamielennoxmhu: because --help is a static entry, and my understanding is that most things with entry points are a bit slow - but honestly its a CLI thing it probably doesn't matter at all16:47
morganfainberguser preferences for horizon shouldn't be in keystone ;)16:47
ayoungdavid-lyle, in my Javascript proof-of-concept, I did each step explicitly:  authenticate, list projects, get scoped token.  THat is not a nice user experience, but might be OK for the fist time the user logs in16:47
ericpetersondavid-lyle  thats fine too, but we don't have that right now16:47
ayoungit would be nicer to remember "last project I worked with" for people that do many projects16:48
mhujamielennox, yeah ... how many times are you going to call --help anyway ?16:48
ayoungmorganfainberg, but it is more than a horizon issue16:48
ericpetersonhorizon has a related change to store the last region in a cookie16:48
jamielennoxmhu: if we did that we could even iterate the available plugin and have them as 'choices' on --os-auth-plugin16:48
ericpetersoncould do the same for projects16:48
ayoungmorganfainberg, right now, CLI and library also assumes default project if none is specified16:48
morganfainbergayoung, i'm not talking about this specific case16:48
morganfainbergdefault project needs to die16:48
ayoungand OSC breaks due to all the domain stuff...16:48
lhchengdavid-lyle: for the user preference, can we just store it together in the user's extra field?16:48
morganfainberga horrible death16:48
jamielennoxmhu: right well that's what i mean, you would take the hit for iterating them for every CLI call, even if you didn't use --help16:48
ayounglhcheng, nope16:48
ayounglhcheng, that is not writable in LDAP16:49
morganfainberglast project i used would be a better UX imo16:49
ericpetersonif default project needs to die, that's fine.... just need to have a clear direction16:49
mhujamielennox, oh ok, didn't think of that16:49
morganfainbergand i could def. support seeing something like that16:49
ayoungdiscussion for next week16:49
morganfainbergericpeterson, i expect this to be a meetup / pod discussion16:49
lhchengayoung: ah. got in late, you guys are discussing the ldap use case. carry on16:49
jamielennoxmorganfainberg: that's totally something that should be a horizon cached thing not in keystone16:49
ayounglhcheng, think more the "user data is read only" use case, but yes16:49
morganfainbergericpeterson, david-lyle maybe toss it on the Keystone meetup-etherpad ?16:49
ayoungFederation is not LDAP, but has the same issues16:49
morganfainbergjamielennox, i'd be fine with that.16:49
morganfainbergjamielennox, things to talk about.16:50
ericpetersonthis change keeps the region in a cookie, could do the same with project  https://review.openstack.org/#/c/119202/16:50
morganfainbergjamielennox, and keystoneclient/osc should probably support the same cache.16:50
jamielennoxmhu: anyway - that's why it doesn't add it to --help at the moment - we can discuss ways of making that cleaner, but i'd like to see OSC reuse as much of KSC loading as possible16:50
jamielennoxmorganfainberg: hmm... not sure there16:51
mhujamielennox, ++ I'll be happy to help with that16:51
*** nikunj2512 has joined #openstack-keystone16:52
jamielennoxmhu: well that review is massively failing all tests as i got a bit ambitious with the cleaning as you did the initial patch i'd be happy for you to have a go at integrating old and new16:52
jamielennoxi'm messing with neutronclient tests at the moment - which is going to take a while16:52
mhujamielennox, I'll add myself as a reviewer and have a look at it16:53
ayoungericpeterson, https://review.openstack.org/#/c/121281/  is the direction I'm headed with this16:53
mhuouch, you weren't lying when you said it was massively failing :P16:54
lhchengwondering if this a user data that other service would also leverage other than horizon. if it would be only horizon using the user data, we could just keep it in session or cookie.16:54
ayoungericpeterson, and then Kerberos should be possible with the follow on.16:54
jamielennoxmhu: yea, i started cutting where auth_ref was used. IMO we shouldn't need that - but my opinion is fairly ruthless/not always practical in this stuff16:56
*** wanghong has quit IRC16:56
jamielennoxmhu: I'm sure if it was done as an incremental change it wouldn't be so bad16:56
mhujamielennox, it'll provide a working base anyway16:56
*** nellysmitt has joined #openstack-keystone16:56
richmIs there a way to assign a user to a project using the v3 api?  http://docs.openstack.org/api/openstack-identity-service/3/content/users.html16:57
richmYou can List user projects:         GET /users/{user_id}/projects16:57
*** topol has quit IRC16:57
bknudsonyou can assign a user a role on a project16:57
richmok - so you have to first have a role defined16:58
richmwhen you create a user, you can set a default_project_id16:59
ayoungrichm, that is oldschool stuff, but yes17:00
jamielennoxrichm: we would prefer you didn't set a default_project_id17:00
ayoungtechincally, if the user has no role on the project, that value is meaningless17:01
ayoungbut it might implicitly add the member role17:01
richmThis is what I'm struggling with - if I have pre-existing users in LDAP, can I assign those users to projects without also assigning them to roles?17:01
ayoungactually, it is ignored in v317:02
ayoungno17:02
ayoungrichm, in the past, users were members of proejcts17:02
richmok - then I need to make sure there is some role defined e.g. _member_17:02
ayoungnow they only have roles in projects17:02
ayoungotherwise we had two different forms of association17:02
ayoungrichm, yep17:03
ayoungthat should be done by the install17:03
richmList user projects:         GET /users/{user_id}/projects17:03
ayoungrichm, specifically, the value in the config file for the member role:17:03
richmor member_role_id17:03
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/config.py#n9817:03
ayoungboth should be set, but are only used by the V2 api17:04
*** raildo has quit IRC17:04
richmThe GET /users/{user_id}/projects seems to imply that users can be directly associated with projects - but I suppose that is just a convenience method17:04
ayoungotherwise, any role will do, but would avoid using the admin role as that gets elevated perms17:05
*** htruta has quit IRC17:05
ayoungrichm, it gets the set of projects for which the user has any roles17:05
ayoungneeded in order to select a project for a scoped token17:05
richmugh - the puppet code is going to need a lot of work to properly reflect the v3 relationships (and domains . . .)17:06
ayoungrichm, I would love to kill domains, and just make projects nestable17:07
*** raildo has joined #openstack-keystone17:08
*** diegows has joined #openstack-keystone17:08
*** wanghong has joined #openstack-keystone17:10
*** rwsu has joined #openstack-keystone17:12
jamielennoxcya17:17
*** htruta has joined #openstack-keystone17:17
*** mikedillion has joined #openstack-keystone17:18
*** tellesnobrega has quit IRC17:18
*** jamielennox is now known as jamielennox|away17:18
*** harlowja_away is now known as harlowja17:18
stevemari actually like domains :\17:20
nkinderstevemar: I think ayoung does too, just not calling them domains (domain == top-level project)17:22
ayoungstevemar, yes,  a project with no parent is a domain17:23
ayoungbut treat domains like projects17:23
stevemarhehe17:23
stevemarthats one way of putting it i suppose17:23
ayoungAND CALL THEM TENANTS!17:23
stevemarnoo17:23
ayoungyes17:23
stevemarthe word tenant must never return17:23
ayoungtenant/project/domains...they are all just namespaces17:23
*** jdennis has joined #openstack-keystone17:24
ayoungnkinder, having trouble finding 'KRB5CCNAME'  in Horizon.17:27
*** htruta has quit IRC17:27
ayoungOooh, maybe owner?  Unix permissions?17:27
amakarovayoung, I heard one our north nation have about 20 names for different kinds of snow :)17:27
ayounghttp://en.wikipedia.org/wiki/Eskimo_words_for_snow17:28
*** jorge_munoz has joined #openstack-keystone17:28
amakarovayoung, ++17:28
*** afaranha has quit IRC17:29
ayoungI have at least 20 words for programming that I shouldn't share in polite company17:29
*** jorge_munoz has quit IRC17:32
amakarovayoung, 20 in total with variations or initial forms?17:32
ayoungHeh17:32
*** htruta has joined #openstack-keystone17:34
*** raildo has quit IRC17:36
*** raildo has joined #openstack-keystone17:40
*** ericpeterson has quit IRC17:52
*** jaosorior has quit IRC17:53
*** marcoemorais has quit IRC17:55
*** marcoemorais has joined #openstack-keystone17:55
*** marcoemorais has quit IRC17:56
*** marcoemorais has joined #openstack-keystone17:56
*** marcoemorais has quit IRC17:56
*** marcoemorais has joined #openstack-keystone17:57
*** marcoemorais has quit IRC17:57
*** marcoemorais has joined #openstack-keystone17:57
*** marcoemorais has quit IRC17:57
*** marcoemorais has joined #openstack-keystone17:58
*** dims__ has quit IRC18:02
*** afazekas_ has joined #openstack-keystone18:03
marekdstevemar: so what is basically a difference between projects and domains?18:04
marekdstevemar: business usecases or technical ones?18:05
stevemarmarekd, technical, a domain is good way to separate things, it's can contain differen groups, users and projects18:05
marekdstevemar: so, as a user when i scope my token to a domain what can i actually do?18:06
marekdstevemar: boot a vm?18:07
stevemarnot much unless you are a domain admin18:07
marekdstevemar: ok, if i am a domain admin i will then be able to manage it, right?18:09
*** marekd is now known as marekd|away18:11
*** jorge_munoz has joined #openstack-keystone18:12
*** jorge_munoz has quit IRC18:17
*** dims__ has joined #openstack-keystone18:18
stevemarmarekd|away, correcto18:20
*** ayoung has quit IRC18:22
*** dims_ has joined #openstack-keystone18:24
lbragstadqq on some of the older validation stuff that lives in the manager and driver levels.18:25
lbragstadsome of the backends and managers use keystone/clean.py for stuff like https://github.com/openstack/keystone/blob/3d9184b6f5860f0b56091a326ed41d2a4c29fbe4/keystone/assignment/backends/sql.py#L45118:25
lbragstadwhich leads to tests in places like https://github.com/openstack/keystone/blob/3d9184b6f5860f0b56091a326ed41d2a4c29fbe4/keystone/tests/test_backend.py#L177118:26
*** dims__ has quit IRC18:26
lbragstadwith the jsonschema approach, should we attempt to use the same validation schema for both v2.0 and v3. Or, should we at least make sure *all* validation is done at the same layer (i.e. controller layer like for jsonschema)?18:26
*** afazekas_ has quit IRC18:29
*** _cjones_ has quit IRC18:30
lbragstadcorrection: s/same validation schema/validation but with different schemas for different versions/18:30
*** _cjones_ has joined #openstack-keystone18:31
*** stevemar has quit IRC18:38
*** stevemar has joined #openstack-keystone18:39
*** jistr has quit IRC18:41
*** marcoemorais has quit IRC18:44
*** joesavak has joined #openstack-keystone18:47
*** amakarov is now known as amakarov_away18:47
*** BAKfr has quit IRC18:51
*** david-ly_ has joined #openstack-keystone18:51
*** BAKfr has joined #openstack-keystone18:51
*** vejdmn has quit IRC18:52
*** david-lyle has quit IRC18:55
*** marcoemorais has joined #openstack-keystone19:00
*** topol has joined #openstack-keystone19:02
*** dims_ has quit IRC19:10
*** afazekas_ has joined #openstack-keystone19:14
*** _cjones_ has quit IRC19:15
*** _cjones_ has joined #openstack-keystone19:16
*** openstackgerrit has joined #openstack-keystone19:21
*** openstackgerrit has quit IRC19:21
*** _cjones_ has quit IRC19:21
*** dims_ has joined #openstack-keystone19:24
*** edmondsw has joined #openstack-keystone19:24
*** mikedillion has quit IRC19:26
*** ayoung has joined #openstack-keystone19:28
*** afazekas_ has quit IRC19:31
*** joesavak has quit IRC19:41
ayoungnkinder, got a public demo of the kerberos stuff19:41
ayounghttp://horizon.younglogic.net/dashboard/admin/19:41
morganfainbergayoung, awww i'm not authorized for that project19:41
morganfainberg>.>19:41
morganfainberg:P19:41
morganfainbergayoung, btw, 10.9 and 10.10 of OSX has krb5 baked in19:42
morganfainbergno external packages needed19:42
nkinderayoung: I need to set my system up for your KDC19:42
ayoungmorganfainberg, ah, this is a new packstack install, so while your user is valid from ipa.younglogic.net, it needs a role on a project...19:43
ayoungnkinder, should be just the DNS entry19:43
morganfainbergi actually dont (again) remember my user for ipa.younglogic.net19:43
morganfainberghaha19:43
ayoungdns_lookup_realm = true19:43
morganfainbergwhat was my username btw?19:43
ayoungmorganfainberg, I can reset your password19:43
ayoungone sec19:44
ayoungmfainberg almost certainly19:44
ayoungyep19:44
morganfainberghmm.19:44
morganfainbergyeah19:44
morganfainberggot it19:44
ayoungmorganfainberg, OK, let me give you a role19:44
ayoungmorganfainberg, nkinder ok, it is set19:48
ayounggot move locations...back on line in a few19:48
morganfainberghm.19:49
morganfainbergnow i just need to figure out how to configure the krb5.conf19:49
morganfainberglost the config somehow19:49
*** joesavak has joined #openstack-keystone19:53
morganfainbergayoung, will bug you post food.19:54
*** afazekas_ has joined #openstack-keystone19:54
*** ayoung has quit IRC19:59
*** jsavak has joined #openstack-keystone19:59
morganfainbergwow20:01
morganfainbergand that *just* worked20:01
*** afazekas_ has quit IRC20:01
*** joesavak has quit IRC20:02
morganfainberghm, clicking the "signon" button is a bit weird.20:03
nkindermorganfainberg: yeah, that requires some hacking in Horizon to get rid of it IIRC20:05
morganfainbergnkinder, also on OS X holy crap it was easy to setup the identity20:05
morganfainbergonce i .. you know .. figured out the app20:05
morganfainbergand safari just worked.20:05
morganfainbergchrome doesn't hook into KRB5 though in OS X20:05
*** afazekas_ has joined #openstack-keystone20:05
morganfainbergi think FF does.20:05
nkindermorganfainberg: FF requires you to set a config option in about:config though20:06
morganfainbergyeah20:06
morganfainberganyway. color me impressed with the simplicity of getting logged in20:06
nkinderSSO just seems like magic when it works20:06
* morganfainberg thinks some AD folks are going to be very happy with this.20:06
morganfainbergi think we're pretty close to having nearly the same level of friendliness for the federated stuff (e.g. SAML based)20:07
morganfainbergwont feel quite as magical though20:07
morganfainberglunch time now20:08
*** vejdmn has joined #openstack-keystone20:16
*** dims_ has quit IRC20:21
*** _cjones_ has joined #openstack-keystone20:22
*** vejdmn has quit IRC20:22
*** vejdmn has joined #openstack-keystone20:23
*** radez is now known as radez_g0n320:24
*** afazekas_ has quit IRC20:25
*** david-ly_ is now known as david-lyle20:28
*** ayoung has joined #openstack-keystone20:33
*** afazekas has joined #openstack-keystone20:35
*** _cjones_ has quit IRC20:36
*** _cjones_ has joined #openstack-keystone20:36
ayoungnkinder, group membership seems to be messed up.  I have a group called keystoners, and from the command line:20:43
ayounggroups20:43
ayoungayoung wheel admins rhidm keystoners freeipa_brewers keystone_admins20:43
ayoung$ openstack --os-auth-type v3kerberos  group show 9df5b04e923a0d4a10081ccc76db25f7317784f44a6b88680a0633480a23f32c20:43
ayoung+-------------+------------------------------------------------------------------+20:43
ayoung| Field       | Value                                                            |20:43
ayoung+-------------+------------------------------------------------------------------+20:43
ayoung| description | Keystone Upstream Contributrors                                  |20:43
ayoung| domain_id   | YOUNGLOGIC                                                       |20:43
ayoung| id          | 9df5b04e923a0d4a10081ccc76db25f7317784f44a6b88680a0633480a23f32c |20:43
ayoung| name        | keystoners                                                       |20:43
ayoung+-------------+------------------------------------------------------------------+20:43
ayoungbut20:43
ayoung$ openstack --os-auth-type v3kerberos  group contains user 9df5b04e923a0d4a10081ccc76db25f7317784f44a6b88680a0633480a23f32c 51dade76c252e37121c87720d183075d2ab1aa4177b87a341a58375b23e5ffce20:43
ayoung51dade76c252e37121c87720d183075d2ab1aa4177b87a341a58375b23e5ffce not in group 9df5b04e923a0d4a10081ccc76db25f7317784f44a6b88680a0633480a23f32c20:43
ayoung$ openstack --os-auth-type v3kerberos  role assignment list --effective --user 51dade76c252e37121c87720d183075d2ab1aa4177b87a341a58375b23e5ffce+----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+20:44
ayoung| Role                             | User                                                             | Group | Project                          | Domain |20:44
ayoung+----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+20:44
ayoung| d7ce72b32d5f4a678edd20feda0d73bf | 51dade76c252e37121c87720d183075d2ab1aa4177b87a341a58375b23e5ffce |       | 85b6aa1fec2349e7bf0376c604b85652 |        |20:44
ayoung| d7ce72b32d5f4a678edd20feda0d73bf | 51dade76c252e37121c87720d183075d2ab1aa4177b87a341a58375b23e5ffce |       | b99b8eeafb634355b159d139e7827652 |        |20:44
ayoung+----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+20:44
ayoungso member ship is not being returned correctly.20:44
ayounggroup_member_attribute=member20:45
*** gokrokve has joined #openstack-keystone20:54
nkinderayoung: turn on debug logging and see what the filter is20:55
ayoungnkinder, looks like a permissions error20:56
ayoungI don't think it got to the LDAP layer20:56
nkinderpermissions on what?20:56
*** raildo has quit IRC21:02
*** _cjones_ has quit IRC21:07
*** nellysmitt has quit IRC21:08
bknudsonThis isn't working for me today: openstack --os-identity-api-version=3 --os-auth-url=http://localhost:5000/v3 user list21:13
bknudsonI get "Authentication failure: Expecting to find domain in project"21:14
bknudsonclient isn't sending a domain for project or user...21:17
bknudsonI needed to set "--os-user-domain-name=Default --os-project-domain-name=Default"21:19
bknudsonstevemar: recent change to openstack cli?21:19
stevemarbknudson, i don't think it was ever defaulting it21:20
bknudson"Clean up shell authentication" -- https://review.openstack.org/#/c/129778/ -- hmmmm21:21
stevemarbknudson, yeah, i abandoned that effort https://review.openstack.org/#/c/125865/21:21
bknudsonstevemar: I agree it's questionable to have a default for the domain...21:22
stevemarbknudson, yeah we get all our options (most anyway) from keystoneclient now21:22
stevemarinstead of carrying our own21:22
morganfainbergayoung, you weren't here when i told nkinder this, but color me impressed on the SSO experience loging in.21:23
morganfainbergstill rough edges and all, but wow.21:23
morganfainbergayoung, well done sir!21:23
stevemarmorganfainberg, details?21:23
*** jsavak has quit IRC21:24
morganfainbergstevemar, ayoung needs to give you a role on his horizon install, but basically kinit your principal on his ipa server then just go to the horizon login21:24
morganfainbergstevemar, then it's click a button to get a token. (the rough edge)21:24
morganfainbergbut, it's SSO... like magic21:24
morganfainbergkrb5 stuffs21:24
morganfainbergstevemar, ipa.younglogic.net (i think you have an account)21:24
bknudsonI'll just set "export OS_USER_DOMAIN_NAME=Default" and "export OS_PROJECT_DOMAIN_NAME=Default"21:25
morganfainbergstevemar, smartinelli21:25
bknudsonno GUI for me.21:25
stevemarbknudson, i think that's what we advise in the docs21:25
morganfainbergstevemar, and http://horizon.younglogic.net/dashboard21:25
stevemarbknudson, http://docs.openstack.org/developer/keystone/cli_examples.html#using-python-openstackclient-v3 scroll down a bit21:26
ayoungmorganfainberg, thanks21:26
ayoungmorganfainberg, so I was trying to just set up a group for all that, but group role assignment seems to be broken there21:26
ayoungI'm debugging21:26
morganfainbergayoung, yeah it's wonky21:26
stevemarmorganfainberg, whats the default password?21:26
morganfainbergayoung, and i get an error everytime i login21:26
ayoungstevemar, I'll give you a role directly21:26
stevemaror is there not one?21:26
ayoungstevemar, none21:27
morganfainbergError: Unauthorized: Unable to retrieve usage information.21:27
ayoungno defaults21:27
morganfainbergbut it really does almost feel like magic21:27
stevemarlet me know when i have a role :)21:27
morganfainbergyou know... like SSO is supposed to feel21:27
stevemarhehe21:27
* morganfainberg is debating getting a laptop w/ 12hr battery life.21:28
morganfainbergi hate that i only get 6hrs on my mbp21:28
morganfainberganyone have opinions on a good travel laptop that legitimately gets serious battery life?21:29
morganfainbergi'm ok with it having a bit less power - i don't expect to need to run massive numbers of VMs.21:30
ayoungmorganfainberg, we're going to need another env var for the keystone client21:30
*** chrisshattuck has quit IRC21:30
ayoungone for setting the auth plugin21:30
morganfainbergayoung, ugh. really?21:30
morganfainbergayoung, ok.21:30
ayoungmorganfainberg, heh21:30
ayoungyeah,  right now I have to do21:30
morganfainbergayoung, i can buy that. though it should be easy if we already have the CLI option21:31
ayoung openstack --os-auth-type v3kerberos domain list21:31
ayoungso we need21:31
morganfainbergok so OS_AUTH_TYPE21:31
ayoungOS_AUTH_TYPE21:31
morganfainbergwait... we don't have that21:31
morganfainberg?!21:31
morganfainbergok ok so lets fix session to do the ENV var sourc if not passed on cli21:31
ayoungI don't think we have it yet21:33
ayoungthe flag changed recently, it was --os-auth-plugin21:33
*** sigmavirus24 is now known as sigmavirus24_awa21:36
*** _cjones_ has joined #openstack-keystone21:36
morganfainberghm.21:36
*** gokrokve has quit IRC21:36
morganfainbergayoung, I'm going to be writing up a blog post re: Federation SSO etc design session results21:37
morganfainbergayoung, FYI i'm totally going to reference what you've accomplished here (and if you have an active post on your blog about it want to link to it too)21:37
morganfainbergayoung, i plan on writing it up post summit session.21:38
ayoungHeh...I have many21:38
ayoungstevemar, Ok, just added a role to your user21:38
morganfainbergi mean if you have one about *this* specific demo / current state.21:38
ayoungusername is21:38
ayoungsmartinelli21:38
morganfainbergotherwise i'll pick one/some of the other ones.21:38
ayoungno idea what the password is21:38
stevemarayoung, is there a default ?21:39
stevemarmorganfainberg said there might not be one?21:39
ayoungmorganfainberg, I don't think I'll be writing another one yet.  I was going to publicize the younglogic.net thing, but just got the public demo working21:39
ayoungstevemar, this is the kerberos setup I did with you a month or three ago21:39
ayoungI can reset your password if you need21:39
morganfainbergayoung, sounds good. i'll have ya read things over before I post it up anyway.21:39
ayoung++21:39
ayoungstevemar, https://ipa.younglogic.net/ipa/ui/#/e/user/search  if you go there, your browser might have the old password cached21:40
ayoungmorganfainberg, so, yeah, the ldap query for List-users-in-groups is returning no values21:41
morganfainbergayoung, *blink*21:41
ayoungI've executed the same thing by handin the CLI, and it seems to work21:41
ayoungbasically21:41
morganfainbergthe *rest* API is not working or horizon's call isn't?21:42
morganfainbergor you mean you used LDAPSearch and got results21:42
*** edmondsw has quit IRC21:42
ayoung ldapsearch -s base -Y gssapi -D "cn=directory manager"  -b cn=keystoners,cn=groups,cn=accounts,dc=younglogic,dc=net member21:42
ayoungminus the gssapi part21:42
ayoungdeep in the ldap backend...21:42
ayoung/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py(1452)_ldap_get_list()21:43
*** vejdmn has quit IRC21:43
ayounghmmmm...using the packages, and this is slightly out of date21:44
ayoungin git that line is one function up21:44
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/ldap/core.py#n145221:44
ayoungthe line I was looking at was21:44
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/ldap/core.py#n146921:45
ayoungI wonder if there is a bug fix I'm missing21:45
morganfainbergayoung, hmm.21:47
ayoungnah...all that code change back in April21:48
ayoungand may for bknudson 's change....21:49
*** dims__ has joined #openstack-keystone21:51
ayoungmorganfainberg, anyway, on my machine it resolves to21:51
ayoungreturn conn.search_s(search_base, scope, query, attrlist)21:51
bknudsondon't git blame me.21:51
bknudsonI'm just the git messenger21:51
ayoungprint search_base21:51
ayoungcn=keystoners,cn=groups,cn=accounts,dc=younglogic,dc=ne21:51
ayoungscope =0 which should be 'base'21:52
ayoungquery is just21:52
ayoungquery21:52
ayoung(objectClass=groupOfNames)21:52
ayoungand21:52
ayoungprint attrlist is ['member']21:52
ayoungoh wait!21:53
ayoungnow I get a result...21:53
ayoung[(u'cn=keystoners,cn=groups,cn=accounts,dc=younglogic,dc=net', {})]21:53
ayoungso it found the right dn and object, but there are no members21:54
*** dims__ has quit IRC21:56
ayoungdebug shows this query21:58
ayoung2014-10-30 21:57:31.322 13761 DEBUG keystone.common.ldap.core [-] LDAP search: base=cn=keystoners,cn=groups,cn=accounts,dc=younglogic,dc=net scope=0 filterstr=(objectClass=groupOfNames) attrs=['member'] attrsonly=0 search_s /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:92621:58
*** harlowja has quit IRC22:00
*** r1chardj0n3s is now known as r1chardj0n3s_afk22:00
*** dims__ has joined #openstack-keystone22:00
ayoungnkinder, anything catch your eye there?22:02
*** henrynash has joined #openstack-keystone22:02
*** stevemar2 has joined #openstack-keystone22:03
nkinderayoung: we have OS_AUTH_TYPE in OSC already22:03
ayoungdo we?22:03
ayounglet me test22:03
*** stevemar has quit IRC22:03
*** lhcheng has quit IRC22:03
nkinderayoung: https://github.com/nkinder/rdo-vm-factory/blob/master/rdo-kerberos-setup/vm-post-cloud-init-rdo.sh#L33122:03
ayoungnkinder, need to get it into the docstinrg then22:04
ayoungbut it works22:04
nkinderayoung: yeah, I've been using it too22:04
ayoungnkinder, so the groups thing above ^^?22:04
ayounganything jumping out at you?  from the CLI it returns the members, but not python22:04
nkinderayoung: let me get my daughter started on homework, then I'll take a look22:05
ayoungthey look like the same query to me22:05
* ayoung is jealous that kid doing homework does not require constant supervision. Not the case in my household22:05
*** lhcheng has joined #openstack-keystone22:07
henrynashlooking for other peoples views on what descriptive terms that would give a piece of Keystone that looked after the crud of Domains, Projects and Role entities? Assuming that “gaggle, herd or shoal” are all unsuitable….any ideas?  Right now we have “asset” or “resource” as ideas22:11
nkinderayoung: oh, my house is no different.  I may get 2 minutes between pages though...22:12
nkinderayoung: ok, so that filter is strange22:12
henrynash(this is for splitting up the current “assignments” component into “something| + “assignments”)22:13
nkinderayoung: the filter would return every single group entry with all of their member attributes according to that debug log entry22:13
ayoung filterstr=(objectClass=groupOfNames)22:13
ayoungno, look at base22:13
nkinderayoung: oh, the base22:13
ayoungit is the actual object22:13
nkinderok, makes more sense22:13
ayoungits all about...ah forget it22:13
* ayoung can feel the groans22:13
nkinderayoung: so you are trying to list all members of a group?  What OSC command are you using?22:14
*** stevemar2 has quit IRC22:14
ayoungnkinder, it gets base a DN, so I can't help but think its the attrs22:14
ayoungopenstack --os-auth-type v3kerberos  group contains user 9df5b04e923a0d4a10081ccc76db25f7317784f44a6b88680a0633480a23f32c 51dade76c252e37121c87720d183075d2ab1aa4177b87a341a58375b23e5ffce22:14
ayoungnkinder, I used rpdb and stepped through22:15
*** rm_work has quit IRC22:15
ayoungnkinder, read up just after where bknudson says "git messenger"22:15
ayoung#define LDAP_SCOPE_BASE                 ((ber_int_t) 0x0000)22:16
ayoungso the scope is right22:16
bknudsonthere's no members in that entry22:18
ayoungbknudson, there is when I execute it from the CLI22:18
nkinderayoung: it works for me22:18
ayoungbknudson, when I execute22:18
ayoung ldapsearch -Y GSSAPI -H ldap://ipa.younglogic.net -s base -b cn=keystoners,cn=groups,cn=accounts,dc=younglogic,dc=net  "(objectClass=groupOfNames)" member22:19
ayoungI get back dn: cn=keystoners,cn=groups,cn=accounts,dc=younglogic,dc=net22:19
ayoungmember: uid=ayoung,cn=users,cn=accounts,dc=younglogic,dc=net22:19
ayoungand many more22:19
bknudsonis it that you don't have authority to get back member attribute?22:19
bknudsonor keystone doesn't have authority22:19
ayoungwas just thinking that22:19
ayoungkeystone is doing an anoymous bind22:20
ayounganonymous even22:20
nkinderayoung: ok, that could be it22:20
*** rm_work has joined #openstack-keystone22:20
ayounghow do I query the ACL on that object?22:20
*** rm_work has quit IRC22:20
*** rm_work has joined #openstack-keystone22:20
bknudson$ ldapsearch -x SIMPLE  -H ldap://ipa.younglogic.net -s base -b cn=keystoners,cn=groups,cn=accounts,dc=younglogic,dc=net  "(objectClass=groupOfNames)" member22:20
nkinderayoung: I think I create a user with no special privs22:20
nkinderayoung: yeah, just do what bknudson says ^^^22:20
nkinderayoung: easier to just test it than to look up the ACL (which is stored at a different level than the group)22:21
ayoungno members returned22:21
nkinderayoung: now bind as a user22:21
nkinder...and do the same search22:21
ayoungI'll try an non-prived user after dinner22:21
bknudsonit's just ldapsearch -x will do simple auth, don't need SIMPLE (it was taking that as an attribute name)22:27
*** bknudson has quit IRC22:27
ayoungnkinder, that worked.  Important safety tip22:29
ayoungand now all keystoners are members of the keystoners group22:29
nkinderayoung: my preso already says what access the bind user needs to have when configuring keystone for LDAP22:29
nkinderayoung: listing group members is one of those things :)22:30
ayoungNice22:30
ayoungDidn't realize that was limited by an anonymous bind, but it makes sense.  IPA has cautious defaults. As it should22:30
ayoungThere might still be an issue with listing the projects for a user.22:31
nkinderayoung: I know some deployments that completely disable anonymous binds too22:31
nkinder...or limit it to root DSE lookups22:31
ayoungAnd I see an issue with getting the usage information, not sure what that is22:31
ayoungOK..dinner and then gym for me.22:31
*** thedodd has quit IRC22:32
*** lhcheng has quit IRC22:36
*** chrisshattuck has joined #openstack-keystone22:40
*** marcoemorais has quit IRC22:40
*** marcoemorais has joined #openstack-keystone22:40
*** harlowja has joined #openstack-keystone22:41
*** lhcheng has joined #openstack-keystone22:44
*** edmondsw has joined #openstack-keystone22:47
*** lcurtis has quit IRC22:50
*** chrisshattuck has quit IRC22:52
*** andreaf has joined #openstack-keystone23:10
*** lbragstad1 has joined #openstack-keystone23:31
*** edmondsw has quit IRC23:32
*** lbragstad1 has left #openstack-keystone23:36
*** henrynash has quit IRC23:39
*** andreaf_ has joined #openstack-keystone23:43
*** andreaf has quit IRC23:44
*** boris-42 has quit IRC23:45
*** boris-42 has joined #openstack-keystone23:50
« Wednesday, 2014-10-29 Index Friday, 2014-10-31 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!