Wednesday, 2015-03-18

« Tuesday, 2015-03-17 Index Thursday, 2015-03-19 »
*** iamjarvo has quit IRC00:02
*** chrisshattuck has quit IRC00:05
*** chrisshattuck has joined #openstack-keystone00:07
openstackgerrithenry-nash proposed openstack/keystone: Refactor code supporting status in JSON Home  https://review.openstack.org/16507500:10
openstackgerritMerged openstack/keystone: remove expected backtrace from logs  https://review.openstack.org/16521200:11
*** markvoelker has quit IRC00:15
*** chrisshattuck has quit IRC00:31
*** markvoelker has joined #openstack-keystone00:32
*** henrynash has quit IRC00:37
*** diegows has quit IRC00:41
*** diegows has joined #openstack-keystone00:42
*** _cjones_ has quit IRC00:43
lbragstadmorganfainberg: possible suspect of the token issues with auth_token https://bugs.launchpad.net/keystonemiddleware/+bug/143337200:44
openstackLaunchpad bug 1433372 in keystonemiddleware "safe_quote doesn't work for Fernet/PKI/PKIz tokens" [Undecided,New]00:44
morganfainberglbragstad: looking.00:45
morganfainbergOh fun.00:45
lbragstadmorganfainberg: it looks like the safe_quote method is modifying the token string before passing it to keystone00:46
morganfainbergFun.00:46
*** chrisshattuck has joined #openstack-keystone00:49
*** browne has quit IRC00:52
lbragstadjamielennox: around?00:53
lbragstadjamielennox: ^ question about the safe_quote method()00:53
*** samueldmq has joined #openstack-keystone00:53
lbragstads/safe_quote method()/safe_quote() method/00:54
*** chrisshattuck has quit IRC00:55
lbragstadjamielennox: what cases do we expect the token string to not be url safe in the verify_token path?00:55
lbragstadmorganfainberg: fyi fernet tokens are passing with existing AuthToken test cases: https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:bp/klw-tokens,n,z00:56
lbragstadjamielennox: it seems to be done unconditionally, regardless of the token type, but UUID tokens shouldn't ever not be URL safe?00:57
jamielennoxlbragstad: i'll need to look back through it00:58
jamielennoxi don't remember what it's even for00:59
lbragstadjamielennox: gotcha, we seem to call it regardless00:59
lbragstadat least on _identity.verify_token()00:59
jamielennoxit's very likely it was just copied out of the client00:59
lbragstadwhich might explain why the tests dolphm was running failed for everything except uuid?01:00
jamielennoxbecause there are really only a couple of requests that auth_token will every make01:00
lbragstadjamielennox: ok01:00
jamielennoxlbragstad: we don't unquote on the keystone side?01:00
lbragstadjamielennox: apparently not01:01
jamielennoxthe safe_quote output looks like what i would want01:01
lbragstadjamielennox: or else it wouldn't be failing01:01
lbragstadjamielennox: it passes for uuid, but that's because it doesn't change01:01
jamielennoxso this is v2 right? just looking where it's called01:02
lbragstadjamielennox: this was happening on v3-only01:02
jamielennoxhttps://github.com/openstack/keystonemiddleware/blob/d436ec737a4ecfe653d934c6f4a71f411b7f9cc2/keystonemiddleware/auth_token/_identity.py#L16601:03
jamielennoxyea, that looks wrong01:03
lbragstadjamielennox: yeah, it does it regardless01:03
jamielennoxso on v2 calls the verify call is GET /v2/tokens/{uuid} and in which case it should be safe_quoted01:03
lbragstadjamielennox: git is telling me that you refactored it ~27 days ago01:03
jamielennoxon v3 you pass it via X-Subject-Token and AFAIK you don't need to urlencode headers01:04
lbragstadjamielennox: but even before the refactor it was still calling that method regardless01:04
lbragstadjamielennox: sweet01:04
jamielennoxcheck on the urlencoding of headers, but i think you're right01:05
lbragstadhttps://github.com/openstack/keystonemiddleware/commit/1272e7ca045657cd9526e63b8a30fd577a6e6d3401:05
jamielennoxlbragstad: i'd be surprised if that change happened in the keystonemiddleware directory at all01:05
lbragstadbefore, safe_quote() just lived in auth_token01:05
lbragstadbut the refactor moved it to _utils() but that shouldn't matter01:06
lbragstadit was still doing the same behavior01:06
jamielennoxhttps://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L1127 so here they are purposefully encoding the header01:06
lbragstadjamielennox: ah01:06
lbragstadjamielennox: so it breaks Fernet there too01:07
jamielennoxwhich stems from introducing v3 tokens to auth_token https://github.com/openstack/python-keystoneclient/commit/d782a998474d92d4299b4404b69442f0288efc3b01:07
jamielennoxso long ago...01:07
lbragstadjamielennox: so, given your much more familiar, do you have a recommendation for a fix?01:08
lbragstads/your/you're/01:08
dstaneklbragstad: how's it going?01:09
lbragstaddstanek: https://bugs.launchpad.net/keystonemiddleware/+bug/143337201:09
openstackLaunchpad bug 1433372 in keystonemiddleware "safe_quote doesn't work for Fernet/PKI/PKIz tokens" [Undecided,New]01:09
jamielennoxlbragstad: i think it's fine to remove safe_encode from v3, do v2 only01:09
jamielennoxso move it into one of the strategy bits01:09
jamielennoxdstanek: what's the allowed character range for http headers?01:10
jamielennoxASCII should be safe right?01:10
dstanekjamielennox: i think ascii01:10
dstanekyes, all ascii should be fine01:10
jamielennoxfernet is base64 encoded so it's just the extra chars anyway01:11
lbragstadok, so what about Fernet tokens in the v2.0 path with auth_token?01:11
jamielennoxlbragstad: ideally for this stuff there is a base64.urlsafe_base64 or something01:11
lbragstadjamielennox: the Fernet tokens are base46 encoded01:11
jamielennoxtypo? or did you just decide on a new standard01:12
jamielennox:p01:12
jamielennoxlbragstad: move safe_encode to https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_identity.py#L4601:13
jamielennoxsafe_quote01:13
lbragstadand remove from https://github.com/openstack/python-keystoneclient/blob/fc1f5a7963adb3c39f48131af5117bfafa3b07e7/keystoneclient/middleware/auth_token.py#L112701:13
lbragstad?01:13
dstanekheader names can be ascii and values any 8bit character01:13
dstanekhttp://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.201:13
dstanekhttp://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.201:13
jamielennoxlbragstad: don't touch the keystoneclient one, it's not a security issue01:14
*** chrisshattuck has joined #openstack-keystone01:14
lbragstadjamielennox: got it, but then remove https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_identity.py#L16601:15
lbragstad?01:15
dstaneklbragstad: is this possibly because of the hardcoded double equals?01:15
lbragstaddstanek: I'm not sure01:15
jamielennoxlbragstad: yes01:15
dstaneklbragstad: this function 'random_urlsafe_str_to_bytes' is just plain wrong01:16
dstaneklbragstad: do you have a small test case that i can run to see the breakage?01:16
*** chrisshattuck has quit IRC01:19
jamielennoxdstanek: i don't think the problem is the urlsafe bit, it's that it was url encoding it and then putting it into a header01:19
*** chrisshattuck has joined #openstack-keystone01:19
lbragstaddstanek: I posted a recreated portion of it in the bug01:20
lbragstaddstanek: with pasteraw01:20
dstanekjamielennox: that should be OK though right?01:20
lbragstaddstanek: http://cdn.pasteraw.com/jt7zlnanjmcwqyu5gt9k4vcspy1pj9p01:20
lbragstaddstanek: token is what we get back from Keystone01:21
jamielennoxdstanek: the keystone side doesn't unencode the header, so the base64 decode will fail01:21
jamielennoxlbragstad: or i assume that's what you would be seeing01:21
lbragstadyeah,01:22
lbragstadso the token is different from what we expect when we pass to decrypt it,01:22
dstaneklbragstad: why is safe_quote checking to see if it is already quoted?01:22
lbragstadwhich is where cryptography was blowing up01:22
lbragstaddstanek: no sure01:22
lbragstadnot*01:22
openstackgerritLance Bragstad proposed openstack/keystonemiddleware: Don't safe_quote for V3 in auth_token.  https://review.openstack.org/16526901:27
lbragstaddstanek: jamielennox thought it was code that was copied over from the client01:27
jamielennoxlbragstad: always going to require tests01:31
lbragstadjamielennox: yep, running them now,01:31
lbragstadjamielennox: but that's the right track, right?01:32
jamielennoxlbragstad: it would seem fine to me01:32
lbragstadjamielennox: cool, thanks for your help!01:32
jamielennoxnp01:32
dstaneklbragstad: how did Fernet tokens break the middleware?01:33
lbragstaddstanek: the user sends something like 'gAAAAABVCEAvKfH3QI8ogwfLYOPjh3QRMfF7VDKmvrNedNu-wUT8rKW98ABcEWJQ-n8TboYi0Y_NlcM0GP9iUeDjniV39JYQnKzzeHbidqmswpeXUpRETdY8LtSOLkKEElootWRh7wiW4rV4fEAj-Pso-ocLHz3YLRiQlWYQ9Jfn1BKoafnr68Y=' to the middleware as a token01:34
lbragstadand the middleware turns it into 'gAAAAABVCEAvKfH3QI8ogwfLYOPjh3QRMfF7VDKmvrNedNu-wUT8rKW98ABcEWJQ-n8TboYi0Y_NlcM0GP9iUeDjniV39JYQnKzzeHbidqmswpeXUpRETdY8LtSOLkKEElootWRh7wiW4rV4fEAj-Pso-ocLHz3YLRiQlWYQ9Jfn1BKoafnr68Y%3D' before sending it to Keystone to be validated01:35
lbragstadwhich fails because it's not the same token string01:36
*** chrisshattuck has quit IRC01:38
dstaneklbragstad: that's very odd - did that change?01:39
lbragstaddstanek: it looks like it's been in middleware for a while01:40
lbragstaddstanek: but we would never see this on a uuid token01:40
lbragstaddstanek: but it does give probable cause as to why dolphm was seeing the same issues with pki and pkiz tokens01:40
dolphmlbragstad: dstanek: o/01:41
jamielennoxthere was a patch a little while ago that did fallback (if you couldn't cert validate then try to do it online) that should probably have caught it01:41
dstaneklbragstad: that's very strange01:41
lbragstaddstanek: yep01:41
lbragstaddolphm: welcome to the party01:41
*** rdo has quit IRC01:41
dstaneki would have expected this to pop up in a bug report01:42
dolphmdstanek: yes, random_urlsafe_str_to_bytes is unsavory, but it's pre-existing behavior that is just better documented post-fernet. i think it's new for kilo? so we still have time to change it01:42
*** nellysmitt has joined #openstack-keystone01:43
dolphmlbragstad: does an unscoped token just happen to not have any trailing padding at the end? trying to figure out why those validate correctly, but the others don't01:44
dstanekdolphm: if it's not causing a bug now i think there is a good chance it'll cause one in the future since it assumes the only thing it can decode is uuids01:44
lbragstaddolphm: yes, exactly01:44
lbragstaddolphm: unscoped tokens don't have the padding01:44
dolphmlbragstad: did you confirm that?01:44
lbragstadI have a trace somewhere01:45
dstaneklbragstad: dolphm: it's not unscoped vs. scoped generally it's just the size of you test data01:46
dolphmlbragstad: i'm going to try running keystone-deploy with your patch01:46
*** chrisshattuck has joined #openstack-keystone01:46
dolphmdstanek: all tokens of the same payload type are the exact same size in bytes, within a few variables01:46
dolphmdstanek: like, has the token been rescoped or not? (== is it carrying a second audit id?)01:47
*** nellysmitt has quit IRC01:47
lbragstaddolphm: http://cdn.pasteraw.com/naljxh72wrcmfosq9guf201lx1knf0y01:47
dolphmdstanek: assuming all UUIDs are the same length, etc01:47
*** stevemar has joined #openstack-keystone01:47
*** ChanServ sets mode: +v stevemar01:47
dolphmlbragstad: ha.01:48
dstanekdolphm: that's not true for pki though01:48
dolphmlbragstad: YOUR PATCH WORKS FOR FERNET!01:49
* lbragstad cracks many beers01:49
dolphmlbragstad: all i'm left with is a single failure: AuthorizationFailure: Authorization failed: token must be bytes. (HTTP 400)01:49
dolphmlbragstad: so, yay?01:50
dolphmlbragstad: but seriously, YAY!01:50
dolphmlbragstad: let me test it with PKI, PKIZ, and UUID and i'll +201:50
*** chrisshattuck has quit IRC01:51
lbragstaddolphm: where are you getting the token must be in bytes error?01:51
dolphmlbragstad: my new test_token_rescoping01:52
lbragstadhmmmm01:52
dolphmlbragstad: i think when it rescopes for the first time01:53
dstaneki wish we could get that figured out. i have a bad feeling that something awful is going on there01:53
dolphmlbragstad: that appears to be a problem in the client, because i've verified that i'm passing in a str01:53
dolphmdstanek: ^01:53
lbragstadhm so does the client cast it to something other?01:54
dolphmlbragstad: i have to assume so01:55
dstanekdolphm: where in the flow are you? you - (str) -> client - (unicode) -> keystone?01:55
dolphmlbragstad: have not walked through the code01:55
dolphmdstanek: here https://github.com/dolph/keystone-deploy/blob/master/test_exercises.py#L15001:56
dolphmdstanek: unscoped.auth_token is of type() str01:56
dolphmdstanek: and i get a 400 there from keystone01:56
dolphmdstanek: on L14901:56
dstanekdolphm: maybe keystone gets a unicode when it grabs it out of the header01:57
dolphmdstanek: i don't actually know that it's choking on unicode for sure -- i have no idea what type it's really seeing (could be NoneType!)01:58
dstanekdolphm: :-(01:58
*** dims has quit IRC01:59
dolphmlbragstad: so, i've confirmed twice that your patch fixes fernet, but pki is *still* broken02:00
jamielennoxnova -> neutron communication with an auth plugin! 6 months later02:00
* jamielennox happy dance02:00
*** lhcheng has quit IRC02:00
lbragstaddolphm: :-/02:00
dolphmdstanek: http://cdn.pasteraw.com/iqpm8li0ehyffrtdpxn7ash1we6rh6f02:02
dolphmjamielennox: /highfive02:02
dstanekdolphm: i'm super intrigued now - going to setup keystone-deploy02:04
dolphmdstanek: i target ubuntu 12.04 LTS, since that's what travis uses02:05
dolphmdstanek: as a deploy target02:05
*** samueldmq has quit IRC02:05
dolphmdstanek: on the ansible host, run the first two steps from the travis install: https://github.com/dolph/keystone-deploy/blob/master/.travis.yml02:06
*** harlowja_ is now known as harlowja_away02:06
dolphmdstanek: and then i deploy & test with $ ansible-playbook -i "$IP," -u root deploy.yaml && HOST=$IP python -m unittest discover02:07
dstanekdolphm: looks like i have to make this a rackspace vm02:08
dolphmdstanek: don't *have* to, i think lbragstad uses vagrant?02:08
lbragstaddstanek: yeah, I use vagrant02:08
morganfainberglbragstad: nice.02:09
lbragstaddstanek: because I haven't had the time to get my rax dept account setup02:09
dstaneklbragstad: pulling down the machine over the hotel network :-) say 1 hour 42 mins left02:09
lbragstaddstanek: use rax :)02:09
*** samueldmq has joined #openstack-keystone02:11
dolphmlbragstad: testing your patch with PKIZ tokens...02:11
lbragstadsweet02:11
morganfainberglbragstad: I have some other infra changes to propose so I'll be looking to setup one of the runs with fernet.02:11
lbragstadmorganfainberg: ++02:11
dolphmmorganfainberg: \p02:12
dolphm\o/ *02:12
dolphmlbragstad: no effect on PKIZ either02:13
morganfainbergAlso that ksm issue with safe quote. I'm ready to release asap if it is solved by a easy fix/quick to land.02:13
lbragstad:(02:13
morganfainbergI take it not fixed by the :(02:13
dolphmmorganfainberg: fixed for Fernet, but i see the same issue with PKI and PKIZ too02:13
lbragstadmorganfainberg: its doesn't fix PKI or PKIz issues02:13
morganfainbergDolph what was the code fix? Let me take a quick look.02:14
dolphmmorganfainberg: https://review.openstack.org/#/c/165269/02:14
openstackgerritDave Chen proposed openstack/keystone: envlist option defaults to the list of all environments  https://review.openstack.org/16170502:14
morganfainbergPki and pkiz might already be safe strings?02:15
dolphmlbragstad: tokens should already *always* *always* *always* *always* be URL safe02:15
dolphmlbragstad: no client should ever have to manipulate them, ever02:15
morganfainbergdolphm: why do we need to safe quote them then?02:15
lbragstaddolphm: yeah, before they leave keystone on auth you mean?02:15
dolphmmorganfainberg: i have zero clue02:15
morganfainbergHistory?02:15
dolphmmorganfainberg: we should not have to, ever02:15
lbragstadmorganfainberg: dolphm jamielennox thought it was code that was copied over from client -> middleware?02:16
* lbragstad == proxy02:16
dolphmmorganfainberg: the only manipulation we have a half-ass excuse for is hashing them because they're too big02:16
morganfainbergYou know, let's just check to see if they are safe strings and not quote them if they aren't02:16
dolphmmorganfainberg: or raise exceptions if they're not02:16
stevemarmorganfainberg, quit being reasonable02:16
morganfainbergAnd throw a warn or something asking for a bug report if it ever is hot.02:16
dolphmmorganfainberg: because then something else is broken02:16
morganfainbergHit*02:17
morganfainbergor exception. Yes.02:17
bknudsonhot tokens!02:17
jamielennoxdolphm: history: https://github.com/openstack/python-keystoneclient/commit/d782a998474d92d4299b4404b69442f0288efc3b#diff-bd6505432da8629a1e85b25349a8d5d0R98702:17
morganfainbergThough I'd like to really put a change like that through its paces before we make it.02:17
*** raildo has quit IRC02:17
morganfainbergIs the safe quote in ksc middleware?02:17
lbragstadmorganfainberg: yep02:18
lbragstadmorganfainberg: dolphm https://github.com/openstack/python-keystoneclient/blob/fc1f5a7963adb3c39f48131af5117bfafa3b07e7/keystoneclient/middleware/auth_token.py#L112702:18
dolphmand THAT'S IN A HEADER!02:20
morganfainbergdolphm: insane right?02:20
dolphmugh https://bugs.launchpad.net/keystone/+bug/97431902:21
openstackLaunchpad bug 974319 in python-keystoneclient "auth_token does not quote token to validate" [Low,Fix released] - Assigned to Dolph Mathews (dolph)02:21
*** erkules_ has joined #openstack-keystone02:21
dolphmmorganfainberg: let's raise an exception if token != quoted(token)02:21
lbragstaddolphm: that would break Fernet again02:23
*** erkules has quit IRC02:23
dolphmlbragstad: why?02:23
*** davechen has quit IRC02:24
*** davechen has joined #openstack-keystone02:24
lbragstadtoken will come in as something like 'somethingsomethingsometing==' and the quoted version of that would change it to be 'somethingsomethingsomething%3D'02:24
morganfainbergIf fernet tokens aren't url safe we should make them02:24
dolphmoh because urllib.quote('=') != '='02:25
lbragstadyes02:25
morganfainbergKeystone should not issue non-url-safe tokens.02:25
morganfainbergSo fix it in keystone.02:25
dolphmmorganfainberg: i think the question is why '=' is not a default safe char in https://docs.python.org/2/library/urllib.html#urllib.quote02:26
morganfainbergdolphm: ?thing=thing02:26
dolphmmorganfainberg: the documentation specifically says it's for url safety in a path, not in a query string02:26
lbragstadand '?' will never be in a Fernet token, correct?02:27
*** ayoung has quit IRC02:27
dolphmlbragstad: correct02:27
morganfainbergdolphm: because = isn't urlsafe by the standard iirc02:27
dolphmmorganfainberg: i think base64.urlsafe_b64encode() output is correct, and URL safe for use in paths (GET /v2.0/tokens/{fernet_token})02:28
*** telemons1er is now known as telmnstr02:28
*** telmnstr is now known as telemonster02:28
dolphmmorganfainberg: that's the only place we care about safety anyway02:28
dolphmwe're certainly not putting them in query strings, and don't ever want to put them in paths again02:28
morganfainbergdolphm: '=' is reserved as a delim: https://tools.ietf.org/html/rfc3986#section-2.202:28
morganfainbergIt is not urlsafe by the spec.02:29
morganfainbergIt can be used as an alternative delimiter.02:30
morganfainbergSo. If it's in urlsafe b64, the b64 encoder is wrong.02:30
dolphmmorganfainberg: i think you're misreading the spec02:30
*** diegows has quit IRC02:30
dolphmmorganfainberg: look at where the subdelim definition is applied02:30
morganfainbergdolphm: they are called out as reserved explicitly.02:32
morganfainbergEven if they are stated separately as sub-delims02:32
*** browne has joined #openstack-keystone02:34
dolphmmorganfainberg: "For example, the semicolon (";") and equals ("=") reserved characters are often used to delimit parameters and parameter values applicable to that segment."02:34
dstanekmorganfainberg: i do read that as '=' can be used to delimit the path02:34
dolphmmorganfainberg: so, you can use both in path segments02:34
dstanekmorganfainberg: dolphm: but the original rfc i think they are illegal http://www.ietf.org/rfc/rfc1738.txt02:34
morganfainbergdstanek: that is how I read it02:34
morganfainbergMeaning /thing=thing/otherthing02:35
dolphmGET google.com/api;v=1.1/search?query=foobar would be valid02:35
*** zzzeek has joined #openstack-keystone02:35
morganfainbergSo use without it as a delim is not allowed. Where it is "safe" if you say "encode this for me" it wouldn't be allowed.02:36
morganfainbergSo it's a difference in "make this string urlsafe" and "construct a url with a sub-delim"02:37
morganfainbergWe are in the former category here. As I read the rfc02:37
dolphmhttp://en.wikipedia.org/wiki/Base64#Decoding_Base64_with_padding02:39
dolphmbad link, http://en.wikipedia.org/wiki/Base64#Implementations_and_history02:39
morganfainbergYeah was reading that one02:40
morganfainbergRfcs are dense reading.02:42
dstanekrfc reading is what sigmavirus24_awa is for02:43
dolphmdstanek: yeah but he's occupied02:43
morganfainbergdstanek: lol02:43
* dolphm is testing a patch for keystone02:44
dstanekdolphm: 3ds i think ;-)02:44
dolphmdstanek: lol i thought he went downtown?02:44
morganfainbergdolphm: so all the references point to = needing to be % encoded in urls. But I admit I'm reading on a phone.02:44
dstanekdolphm: no nolan, claco, ian and a few others went to logan's02:45
dstanekthat's why i'm back at the hotel02:45
morganfainbergOh so I'm in Austin this week. Wish me luck :(. Sxsw :(02:46
lbragstaddstanek: fyi, if you need a ride, the hotel is on my way to work02:46
morganfainberg(Well tomorrow through Friday)02:46
dolphmdstanek: ah02:46
lbragstadme shakes fist as morganfainberg!02:46
* lbragstad fail02:46
dolphmmorganfainberg: grr02:46
lbragstadtix were so damn expensive when I checked02:46
morganfainbergNot going to sxsw. Ick.02:46
morganfainbergHave a meeting for summit stuff.02:47
lbragstadoh02:47
* lbragstad unshakes fist02:47
morganfainbergThe :( was cause sxsw is happening.02:47
morganfainbergAnd I have to deal with it.02:47
morganfainbergAnd the crowds in town.02:47
dstanekmorganfainberg: i bet02:48
dstaneklbragstad: thx, i'll let you know - what time do you normally go to work?02:48
lbragstaddstanek: I can be there whenever, typically by 802:48
openstackgerritJorge Munoz proposed openstack/keystone: Implement Fernet tokens for v2.0 tokens  https://review.openstack.org/15922902:57
*** _cjones_ has joined #openstack-keystone02:57
dolphmmorganfainberg: i imagine this patch to keystone should work? http://cdn.pasteraw.com/1pzoiucqc76jrztscto57oq9w4rmjpm02:58
lbragstadjorge_munoz: nice, I was just working on addressing those02:58
samueldmqlbragstad, there are only remaining 2 remaining fernet patches  ?02:59
lbragstadsamueldmq: yeah02:59
samueldmqlbragstad, 159229 and 16434802:59
lbragstaddolphm: any ideas on this comment?02:59
lbragstadhttps://review.openstack.org/#/c/164348/4/keystone/auth/plugins/core.py02:59
dolphmsamueldmq: and a bug fix, somewhere, possibly02:59
samueldmqdolphm, what's the issue?02:59
lbragstaddolphm: that patch looks good to me03:00
dolphmlbragstad: bitwise makes that easier?03:00
dolphmsamueldmq: the issue that this is trying to address https://review.openstack.org/#/c/165269/103:00
dolphmsamueldmq: which this branch is reproducing https://github.com/dolph/keystone-deploy/tree/fernet-tokens03:00
lbragstaddolphm: the deployer methods part?03:00
*** Hilomomo has joined #openstack-keystone03:01
samueldmqdolphm, k, I will have a look03:01
dolphmsamueldmq: test failures look like this https://travis-ci.org/dolph/keystone-deploy/builds/5473438603:01
*** zzzeek has quit IRC03:01
dolphmsamueldmq: you can follow the travis-ci setup if you want to run keystone-deploy03:01
dolphmlbragstad: yeah...03:02
dolphmlbragstad: otherwise, i don't really have an answer? it depends on the deployers requirements03:02
dolphmlbragstad: (how many methods they need, etc)03:02
lbragstadyeah03:02
dolphmlbragstad: maybe we should read methods out of CONF?03:03
lbragstaddolphm: and build the method map according to that?03:03
dolphmlbragstad: exactly03:03
*** Hilomomo has left #openstack-keystone03:03
dolphmlbragstad: that way it's flexible, but comes with the caveat that two deployments might differ03:03
lbragstadso,03:03
dolphmlbragstad: and adding a method anywhere but the end will cause issues with existing tokens?03:04
lbragstadjust read in whatever, and set them to 1, 2, 4, 8, etc03:04
dolphmlbragstad: i think, yeah.03:04
dolphmbknudson: ^03:04
openstackgerritDolph Mathews proposed openstack/keystone: URL quote fernet tokens  https://review.openstack.org/16527903:08
openstackgerritLance Bragstad proposed openstack/keystone: Use existing token test for Fernet tokens.  https://review.openstack.org/16434803:11
*** gyee has quit IRC03:15
*** davechen has left #openstack-keystone03:16
*** davechen has joined #openstack-keystone03:16
*** lhcheng has joined #openstack-keystone03:17
openstackgerritDolph Mathews proposed openstack/keystone: URL quote fernet tokens  https://review.openstack.org/16527903:19
samueldmqdolphm, just a dumb question ....03:19
dolphmmorganfainberg: ^ fix03:19
dolphmlbragstad: dstanek: ^03:19
samueldmqdolphm, don't you need X-Subject-Token here (https://github.com/dolph/keystone-deploy/blob/fernet-tokens/test_exercises.py#L119-L121)03:19
*** ajayaa has joined #openstack-keystone03:19
dolphmsamueldmq: i was actually *just* thinking that the method name there is poorly chosen...03:20
*** richm has quit IRC03:20
dolphmsamueldmq: the answer to your question is "no" because it's not actually hitting keystone (it's not using GET /v3/auth/tokens)03:20
dolphmsamueldmq: instead, ECHO_ENDPOINT is a service like nova, which is protected by the auth_token middleware03:20
dolphmsamueldmq: so the test is validating the token by requesting a protected URL, and auth_token is actually calling GET /v3/auth/tokens + X-Subject-Token before the protected URL is returned03:21
dolphmsamueldmq: any suggestions for a better method name?03:23
dolphmsamueldmq: you can see auth_token wrapping the ECHO_ENDPOINT (and the echo application itself) here: https://github.com/dolph/keystone-deploy/blob/fernet-tokens/playbooks/roles/http/templates/echo.py03:24
samueldmqdolphm, dunno about a better name ... maybe get_resource, or get_keystone_protected_resource :p03:25
samueldmqdolphm, a comment explaining what is actually happening03:26
samueldmqdolphm, I got what is being done behind that, thanks for the explanation03:26
* samueldmq is looking at the echo.py now.. he wants to see the magic there03:27
samueldmqdolphm, k so how far you are now when debugging?03:31
samueldmqdolphm, any logs from keystonemiddleware/keystone?03:31
openstackgerritDolph Mathews proposed openstack/keystone: URL quote fernet tokens  https://review.openstack.org/16527903:32
dolphmsamueldmq: i think that's the fix for the first issue i'm seeing ^03:32
dolphmsamueldmq: but of course there's a second issue :)03:33
samueldmqdolphm, and this one  (https://review.openstack.org/#/c/165269) ?03:33
*** csoukup has joined #openstack-keystone03:33
dolphmsamueldmq: that "fixes" the issue, but we determined in the conversation above that making the tokens URL safe in the first place was the more reliable approach03:34
samueldmqdolphm, k so let's not remove the safe_quote thing03:36
* samueldmq reads the above conversation03:36
dolphmsamueldmq: so with the url-safety fix on the keystone side, i still get a failing test: http://cdn.pasteraw.com/iqpm8li0ehyffrtdpxn7ash1we6rh6f03:36
dolphm(which is a different issue)03:36
*** nellysmitt has joined #openstack-keystone03:44
*** csoukup has quit IRC03:48
samueldmqdolphm, did you modify  test_exercises.py locally? (the upstream one hasnt even the line 192)03:48
samueldmqbased on the pastraw above ..03:48
*** _cjones_ has quit IRC03:48
*** nellysmitt has quit IRC03:48
dolphmsamueldmq: ah, yes03:49
dolphmsamueldmq: i thought this would help narrow the cause of the failure, but it did not http://cdn.pasteraw.com/l9hqpyloyd34lirdapsoay0dskj89aj03:49
dolphmsamueldmq: hence i didn't commit03:49
samueldmqdolphm, ok, so it fails in the first rescope03:53
dolphmsamueldmq: ++03:53
dolphmsamueldmq: my current guess is that only on rescoping does a token pass through json.loads(), which i think turns everything into unicode03:54
dolphmsamueldmq: but fernet tokens can't be unicode (even though they're ascii strings?)03:54
dolphmsamueldmq: python -c "from cryptography.fernet import Fernet; f = Fernet(Fernet.generate_key()).decrypt(u'asdf')"03:55
samueldmqdolphm, pki/pkiz still works, right?03:55
dolphmsamueldmq: i'm having some other issue with those two :(03:56
samueldmqdolphm, ah, so we've introduced a bug ..03:57
openstackgerritMerged openstack/python-keystoneclient: Implements subtree_as_ids and parents_as_ids  https://review.openstack.org/15007803:59
dolphmsamueldmq: https://bugs.launchpad.net/keystone/+bug/143166903:59
openstackLaunchpad bug 1431669 in Keystone "Create saml assertion doesn't work with fernet token" [High,Triaged] - Assigned to Dolph Mathews (dolph)03:59
*** ajayaa has quit IRC04:01
*** csoukup has joined #openstack-keystone04:04
samueldmqdolphm, I'm trying to deploy that with ansible by myself ...04:05
samueldmqdolphm, then I'll be able to debug04:05
samueldmqdolphm, if I can't debug, I can't help, for sure :)04:06
dolphmsamueldmq: let me know if you need a hand04:06
dolphmsamueldmq: i need to write new docs for keystone-deploy!04:06
samueldmqdolphm, k, tbh I am not so familiar with ansible :)04:06
samueldmqdolphm, once I downloaded your code, i) cp sample_inventory inventory ii) ansible-playbook -i inventory --sudo deploy.yaml04:07
dolphmsamueldmq: the part that's especially hard to document is how ansible should authenticate with your deployment node04:07
dolphmsamueldmq: open up .travis.yml in the root dir04:07
samueldmqyes ...04:08
dolphmsamueldmq: you'll also need to run the "ansible-galaxy install ..." command like travis does04:08
dolphmsamueldmq: and then you have a bunch of options for actually running the playbook04:08
dolphmsamueldmq: (in terms of auth)04:08
*** csoukup has quit IRC04:09
dolphmsamueldmq: can you "ssh root@$VM_IP" for example ?04:09
dolphmsamueldmq: where $VM_IP is wherever you want to deploy keystone to?04:09
samueldmqdolphm, wait .. do I need to have a keystone running? or will this playbook install one for me?04:10
dolphmsamueldmq: this will install keystone04:14
dolphmsamueldmq: behind apache w/ mysql, using UUID04:15
dolphmsamueldmq: it'll also install the echo app in the same apache server04:15
samueldmqdolphm, all this on 192.168.111.222 (the vagrant vm), right?04:16
dolphmsamueldmq: yep04:16
dolphmsamueldmq: didn't realize you were using vagrant04:16
samueldmqdolphm, I dont want to04:16
dolphmsamueldmq: you don't have to!04:16
samueldmqdolphm, that's why you were telling me about 'can you "ssh root@$VM_IP" for example ?'04:17
dolphmsamueldmq: i've only tested with Ubuntu 12.04 recently though04:17
samueldmqdolphm, where do I set my vm_ip/credentials?04:17
dolphmsamueldmq: yes, i'm running both my ansible host and keystone on vms in rackspace public cloud04:17
dolphmsamueldmq: that's all through the ansible-playbook command04:17
samueldmqansible-playbook --connection=local --inventory-file='localhost,' --sudo deploy.yaml04:18
dolphmsamueldmq: for vagrant, i think it would just be -i "192.168.111.222," --user=vagrant --sudo04:18
dolphmsamueldmq: don't use --connection=local!04:18
dolphmthat will run the playbook against your laptop or whatever04:18
samueldmqyes, I replace it with my vm's ip04:18
samueldmqlol04:19
dolphmyou don't need to specify a --connection04:19
samueldmqmy poor laptop, I guess I would disconnect lol04:19
dolphmansible uses ssh by default04:19
samueldmqk then .. so 'ansible-playbook --inventory-file='MY_VM_IP,' --user=myuser --sudo deploy.yaml'04:20
samueldmq--password?04:20
dolphmsamueldmq: that's up to you. i use ssh keys, so i don't specify anything04:20
samueldmqyes, was about to ask that ...04:20
dolphmsamueldmq: --ask-pass will prompt for ssh password04:21
samueldmquser ubuntu then ... since I'll be using ubuntu-14-cloudimg04:21
dolphm(i hope 14.04 works!)04:21
samueldmqdolphm, k, just need to get a vm on our cloud and run it :)04:21
samueldmqdolphm, would recommend 12 ? or should I try 14?04:21
dolphmsamueldmq: i only recommend 12 because that's what travis uses (no choice), so that's what i've tested with04:22
samueldmqdolphm, k04:22
dolphmooh, $ cp sample_inventory inventory04:22
dolphmand edit that with your server's IP04:22
dolphmand then use "-i inventory" instead of -i / --inventory-file04:23
samueldmqdolphm, nice04:24
samueldmqdolphm, update the server's ip and the user, right? (on inventory)04:25
dolphmsamueldmq: yes04:25
openstackgerritDolph Mathews proposed openstack/keystone: URL quote Fernet tokens  https://review.openstack.org/16527904:26
dolphmi *think* that's a complete fix for fernet ^04:27
*** tqtran has quit IRC04:27
samueldmqdolphm, running the tasks ...04:27
samueldmq:)04:27
dolphmsamueldmq: yay!04:27
samueldmqdolphm, ansible looks to be amazing :) I need to play with it04:28
dolphmsamueldmq: have you ever used python's Fabric?04:29
samueldmqdolphm, no :/04:29
dolphmsamueldmq: don't bother now :P04:29
dolphmsamueldmq: it long predates ansible, but it's in the same spirit. simple ssh-based remote config management04:30
samueldmqdolphm, yep :p04:30
samueldmqdolphm, http://cdn.pasteraw.com/6rbznq783nhyypcetk943e1w04vjo0p04:30
samueldmqdolphm, got an error04:30
lbragstaddolphm: so,04:30
stevemardolphm, how much of a PITA is it to deploy keystone under https?04:31
lbragstadI figured out a way to convert methods to an integer and back to a list of method dynamically based on the config04:31
stevemarand do the ports change? i am assuming they don't04:31
dolphmsamueldmq: weird. login and $ ssh-keyscan -H raw.github.com > ~/.ssh/known_hosts04:31
dolphmstevemar: using apache or eventlet?04:32
stevemardolphm, apache04:32
*** ncoghlan has joined #openstack-keystone04:32
samueldmqdolphm, done ... retrying now04:32
dolphmstevemar: pretty straight forward if you have certs ready to go http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html04:32
dolphmlbragstad: review!04:33
openstackgerritLance Bragstad proposed openstack/keystone: Use existing token test for Fernet tokens.  https://review.openstack.org/16434804:33
samueldmqdolphm, same issue :/04:33
lbragstaddolphm: ^04:33
dolphmlbragstad: just tested fernet-tokens and all six tests pass with https://review.openstack.org/16527904:33
lbragstaddolphm: nice04:33
lbragstaddolphm: check out that method -> int, int -> method list fix :)04:34
dolphmsamueldmq: OH, SSL certs...04:34
dolphmsamueldmq: uhh that's super weird, would your vm be behind a firewall or something?04:35
dolphmsamueldmq: anything that's intercepting requests?04:35
dolphmsamueldmq: can you $ curl https://github.com/04:35
dolphmor $ curl https://raw.github.com/04:35
samueldmqdolphm, from my vm? yes I can04:35
stevemardolphm, that's about as straight forward as a nascar track04:36
dolphmsamueldmq: yeah, hmm04:36
dolphmstevemar: ?04:36
dolphmstevemar: oh lol04:36
*** ajayaa has joined #openstack-keystone04:37
*** rushiagr_away is now known as rushiagr04:37
stevemardolphm, i'm guessing just any old cert won't work?04:37
stevemarrequires a Global ID server certificate, signed by a special CA certificate from Verisign04:38
dolphmlbragstad: https://docs.python.org/2/library/functions.html#enumerate04:38
dolphmlbragstad: oh nvm04:39
dolphmlbragstad: well, don't you need to pow(method_index, 2) ?04:39
lbragstaddolphm: yeah, that would work04:40
dolphmlbragstad: your way works!04:41
dolphmi was misreading it04:41
* lbragstad cracks moar beers!04:43
lbragstaddolphm: so that *should* work with whatever is put into config04:43
lbragstadcc bknudson ^04:43
samueldmqdolphm, I could set 'validate_certs=no' to skip that ... but I dont know exactly where I set this option04:45
dolphmlbragstad: i had to stop at specs on the way home04:45
dolphmsamueldmq: based on the error (and i really don't understand why you're getting that error) you'd actually do validate_certs=no in the role you installed from ansible-galaxy04:46
dolphmsamueldmq: you should be able to find the failing task in playbooks/roles/something.pip/tasks04:47
dolphmsomething = author's name04:47
*** ajayaa has quit IRC04:47
*** boris-42 has joined #openstack-keystone04:47
samueldmqbobbyrenwick.pip04:47
dolphmyes04:47
dolphmsamueldmq: i assume the validate_certs it's referring to is from get_url http://docs.ansible.com/get_url_module.html04:48
lbragstaddolphm: ++04:48
dolphmlbragstad: are the methods alphabetical, or order of appearance in keystone.conf?04:51
*** dims has joined #openstack-keystone04:52
morganfainberghm.04:52
lbragstaddolphm: not sure, checking04:53
samueldmqdolphm, passed that task .. but still running others04:54
samueldmq:-)04:54
dolphmmorganfainberg: samueldmq is getting setup to verify, but https://review.openstack.org/#/c/165279/ seems to resolve both issues i was seeing with fernet04:54
morganfainbergnice04:54
morganfainbergand how broken are PKI tokens if at all?04:55
dolphmmorganfainberg: i get the same behavior with PKI -- 401's instead of 200s'04:56
dolphmPKI(Z)04:56
*** dims has quit IRC04:57
morganfainbergdolphm, ack04:57
morganfainbergyay for "urlsafe" being only sortof urlsafe04:58
*** stevemar has quit IRC04:58
*** stevemar has joined #openstack-keystone04:59
*** ChanServ sets mode: +v stevemar04:59
morganfainbergdolphm, i'd like to see a test for this as well that goes into the basic token test the whole string != quoted string [if possible]04:59
morganfainbergesp. so we can show pki(z) broken in a similar fashion05:00
openstackgerritIan Wienand proposed openstack/keystone: Use default value for sha512_crypt rounds  https://review.openstack.org/16529505:01
samueldmqdolphm, ubuntu@10.3.2.174          : ok=29   changed=22   unreachable=0    failed=005:01
samueldmqdolphm, :)05:01
dolphmmorganfainberg: the only logging i get for PKI/Z is from keystonemiddleware: eystonemiddleware.auth_token:Authorization failed for token05:02
dolphmsamueldmq: sweet!05:02
dolphmsamueldmq: so now you've got keystone installed via python setup.py install05:02
dolphmsamueldmq: and keystonemiddleware and python-keystoneclient installed via pip05:02
morganfainbergdolphm, yeah. i commented on your review re: tests, but i'm not too worried about this atm. it's clearly been semi-b0rken for a bit and we can make sure we fix it right for pki(z) as well05:03
morganfainbergfernet wont work w/o this.05:03
dolphmsamueldmq: so, you can go into /opt/keystone and make changes, and run python setup.py install && service apache2 restart for your changes to take effect05:03
samueldmqdolphm, hmm.. so I need to go in pip dist-packages to update any code in keystonemiddleware05:03
dolphmsamueldmq: if you want - but https://review.openstack.org/#/c/165279/ is just a fix to keystone itself05:03
samueldmqdolphm, ah sure ... the keystonemiddleware one was an old fix ... sorry05:04
dolphmmorganfainberg: ++ just wanted to get the fix up for tonight05:04
dolphmsamueldmq: you can HTTPS + cherry pick that review into /opt/keystone05:04
* dolphm is going to sleep05:08
samueldmqdolphm, ack05:08
lbragstadyeah, I'm out...05:08
dolphmlbragstad: o/05:08
lbragstaddolphm: I'll +2 your change in the morning if it's not approved by then,05:09
morganfainbergdolphm, so "cities: skylines" - everything sim city should have been.05:11
morganfainbergdolphm, so good.05:11
*** stevemar has quit IRC05:11
*** stevemar has joined #openstack-keystone05:12
*** ChanServ sets mode: +v stevemar05:12
samueldmqdolphm, tests take a long time to run here ...05:13
openstackgerritIan Wienand proposed openstack/keystone: Use default value for sha512_crypt rounds  https://review.openstack.org/16529505:14
*** jorge_munoz1 has left #openstack-keystone05:17
*** markvoelker has quit IRC05:33
*** rushiagr is now known as rushiagr_away05:36
*** nellysmitt has joined #openstack-keystone05:44
*** nellysmitt has quit IRC05:49
*** __afazekas is now known as afazekas05:52
*** afazekas is now known as __afazekas05:53
*** ajayaa has joined #openstack-keystone06:01
*** rushiagr_away is now known as rushiagr06:03
*** henrynash has joined #openstack-keystone06:24
*** ChanServ sets mode: +v henrynash06:24
*** nellysmitt has joined #openstack-keystone06:32
*** markvoelker has joined #openstack-keystone06:33
*** henrynash has quit IRC06:34
*** ishant has joined #openstack-keystone06:35
*** henrynash has joined #openstack-keystone06:36
*** ChanServ sets mode: +v henrynash06:36
*** markvoelker has quit IRC06:38
samueldmqhenrynash, ping - you around?06:45
henrynashsamueldmq: hi06:46
samueldmqsamueldmq, I need help to run keystone-manage :)06:46
samueldmqops, henrynash  ^06:46
henrynashok :-)06:46
samueldmqkeystone-manage pki_setup is basically what I want06:46
samueldmqbut it ask me to provide --keystone-user and --keystone-group06:46
henrynashok ( never tried that option)…but let’s comtinue!06:47
samueldmqI provided a valid user name and a valid group name06:47
*** afazekas has joined #openstack-keystone06:47
samueldmqand I get errors06:47
samueldmqUnknown user 'administrator' in --keystone-user06:47
samueldmq(it's just a setup for  tests)06:48
henrynashsamueldmq: so it will check that that user is avalid linux user….06:49
henrynashI assume itis?06:49
*** _cjones_ has joined #openstack-keystone06:49
samueldmqhenrynash, ah.. a user in the system ....06:49
samueldmqhenrynash, not in keystone06:49
henrynashyep06:49
henrynashsince it’s going to run oppenssl on your system06:50
samueldmqhenrynash, it worked, thanks!06:51
henrynashnp06:51
samueldmqhenrynash, I think I need to sleep :p06:52
*** _cjones_ has quit IRC06:54
henrynash:-)06:54
*** browne has quit IRC06:55
*** mestery has quit IRC06:58
stevemarwho needs sleep07:01
stevemarit's over-rated07:01
samueldmqstevemar, sorry :/07:03
stevemarsamueldmq, for what?07:03
samueldmqstevemar, I said I needed to sleep :p07:03
stevemari suppose it's important07:04
samueldmqyes, after getting things working :)07:04
*** Trozz has joined #openstack-keystone07:05
samueldmqstevemar, when my setup uses pki ... I ran keystone-manage pki_setup on server side07:06
samueldmqstevemar, what do I need to do in the client side (who has keystoneclient)?07:07
samueldmqhenrynash, ^07:07
stevemarsamueldmq, why would you have to do anything different?07:08
stevemarjust authenticate the usual way07:08
samueldmqstevemar, keystonemiddleware is on the clientside, right?07:09
henrynashdon’t you need to tell the middleware where the certs are etc.?07:09
lifelessno07:09
samueldmqstevemar, doesn't it need to know the certificates?07:09
stevemarmiddleware is for interacting between services07:09
lifelessthe middleware  usually refers to wsgi layers that run in other non-keystone OpenStack API servers07:09
henrynashlifelss: not in this case….samueldmq means keystoneclient middleware07:10
stevemarhenrynash now you're combining the two07:10
henrynashoh. maybe I’m misunderstanding samueldmq’s question, then07:11
samueldmqI think lifeless is right ..07:11
samueldmqbut in this case, how keystoniddleware knows the certificates?07:11
samueldmqI think I am missing something ...07:11
stevemarsamueldmq, through config options: https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/__init__.py#L276-L27707:13
samueldmqstevemar, yes, I think that's it ... :) will try thanks07:14
samueldmqlifeless, thanks07:14
henrynashstevemar: but are u saying that the keystonemiddleware is not client side?07:15
henrynash(agree it is via conf otpions to set up…)07:15
stevemarhenrynash, it's not exactly an end-user tool, it's for inter-service chatter07:15
*** hogepodge has quit IRC07:16
henrynashstevemar: oh, ok, sure…yes it’s definitely not an end-user tool….just checking that we had not changed it’s intended use when we split it out into it’s own repo07:16
stevemarhenrynash, all the examples in the middleware docs are adding it to nova and suc07:16
stevemaryeah, i guess i was being picky about the term client side07:17
henrynashstevemar: ok, yes, I was not precise in my statement - mean non-keystone-server-side07:17
samueldmqstevemar, where keystonemiddleware configs live?07:17
*** markvoelker has joined #openstack-keystone07:17
stevemarsamueldmq, http://docs.openstack.org/developer/keystonemiddleware/middlewarearchitecture.html#configuration07:18
stevemarsamueldmq, so in a paste pipeline for nova or some service, you add a new keystone_authtoken section, and add it to the pipeline07:19
samueldmqstevemar, k makes sense07:19
*** aix has quit IRC07:20
*** nellysmi_ has joined #openstack-keystone07:21
*** markvoelker has quit IRC07:21
*** nellysmitt has quit IRC07:22
*** nellysmi_ has quit IRC07:26
*** nellysmitt has joined #openstack-keystone07:28
*** lhcheng is now known as lhcheng_afk07:36
*** samueldmq has quit IRC07:40
*** stevemar has quit IRC07:50
*** ishant has quit IRC07:50
*** ishant has joined #openstack-keystone07:51
*** Bsony has joined #openstack-keystone07:58
*** rushiagr is now known as rushiagr_away08:05
*** rushiagr_away is now known as rushiagr08:11
*** markvoelker has joined #openstack-keystone08:18
*** jistr has joined #openstack-keystone08:22
*** markvoelker has quit IRC08:23
*** lsmola has joined #openstack-keystone08:25
*** Trozz is now known as zzTrozz08:28
*** zzTrozz is now known as Trozz08:28
*** uschreiber_ has joined #openstack-keystone08:32
*** uschreiber_ has quit IRC08:33
*** lhcheng_afk has quit IRC08:36
*** uschreiber_ has joined #openstack-keystone08:38
*** uschreiber_ has quit IRC08:39
*** uschreiber_ has joined #openstack-keystone08:41
*** uschreiber_ has quit IRC08:42
*** uschreiber_ has joined #openstack-keystone08:42
*** uschreiber_ has quit IRC08:42
*** erkules_ is now known as erkules09:07
*** erkules has joined #openstack-keystone09:07
*** boris-42 has quit IRC09:12
*** markvoelker has joined #openstack-keystone09:19
*** hogepodge has joined #openstack-keystone09:22
*** markvoelker has quit IRC09:23
*** ncoghlan has quit IRC09:28
*** afazekas_ has joined #openstack-keystone09:31
*** lhcheng_afk has joined #openstack-keystone09:37
*** lhcheng_afk has quit IRC09:41
*** dims_ has joined #openstack-keystone09:43
*** afazekas_ has quit IRC09:45
*** davechen has left #openstack-keystone09:51
*** nellysmitt has quit IRC10:13
*** markvoelker has joined #openstack-keystone10:19
*** samueldmq has joined #openstack-keystone10:22
samueldmqmorninig10:22
marekdsamueldmq: hey10:22
*** markvoelker has quit IRC10:24
samueldmqmarekd, hello! o/10:24
samueldmqhenrynash, morning - nice job on the 'supporting status in JSON Home' :)10:25
henrynashsamuedmq: thx10:26
* samueldmq feels he needs to try JSON Home by himself, as he was one of the services querying keystone's resources10:26
*** mestery has joined #openstack-keystone10:26
openstackgerritMarek Denis proposed openstack/keystone: Remove SELinux section from httpd config  https://review.openstack.org/16451510:32
*** nellysmitt has joined #openstack-keystone10:35
*** nellysmitt has quit IRC10:37
*** lhcheng_afk has joined #openstack-keystone10:38
openstackgerritMarco Fargetta proposed openstack/keystone: IdP ID registration and validation  https://review.openstack.org/15215610:39
*** fmarco76 has joined #openstack-keystone10:42
*** lhcheng_afk has quit IRC10:43
samueldmqdolphm, lbragstad ping - I need a hand to set up Fernet tokens on dolph's keystone-deploy10:43
*** boris-42 has joined #openstack-keystone10:51
*** henrynash has quit IRC10:51
*** Bsony_ has joined #openstack-keystone10:54
*** amakarov_away is now known as amakarov10:54
*** nellysmitt has joined #openstack-keystone10:55
*** ajayaa has quit IRC10:56
*** Bsony has quit IRC10:57
*** rushiagr is now known as rushiagr_away11:01
*** nellysmitt has quit IRC11:08
*** fmarco76 has quit IRC11:09
*** tqtran has joined #openstack-keystone11:18
*** markvoelker has joined #openstack-keystone11:20
*** krykowski has joined #openstack-keystone11:23
*** tqtran has quit IRC11:23
*** markvoelker has quit IRC11:25
*** nellysmitt has joined #openstack-keystone11:33
*** ParsectiX has joined #openstack-keystone11:35
*** nellysmitt has quit IRC11:43
*** ajayaa has joined #openstack-keystone11:48
*** rushiagr_away is now known as rushiagr11:51
samueldmqdolphm I set up Fernet tokens, but your patch does not solve all the issues here ...11:57
*** david-lyle_afk is now known as david-lyle12:00
*** markvoelker has joined #openstack-keystone12:02
*** mattfarina has joined #openstack-keystone12:05
*** mattfarina has quit IRC12:08
*** mattfarina has joined #openstack-keystone12:09
*** mattfarina has quit IRC12:11
*** tqtran has joined #openstack-keystone12:11
*** mattfarina has joined #openstack-keystone12:12
*** dims_ has quit IRC12:22
*** dims_ has joined #openstack-keystone12:22
*** henrynash has joined #openstack-keystone12:25
*** ChanServ sets mode: +v henrynash12:25
*** raildo_away is now known as raildo12:28
openstackgerritMerged openstack/keystone: Remove RestfulTestCase.admin_request  https://review.openstack.org/16451612:29
*** jaosorior has joined #openstack-keystone12:38
*** jistr is now known as jistr|biab12:39
*** henrynash has quit IRC12:41
*** topol has joined #openstack-keystone12:46
*** ChanServ sets mode: +v topol12:46
*** henrynash has joined #openstack-keystone12:46
*** ChanServ sets mode: +v henrynash12:46
*** rushiagr is now known as rushiagr_away12:49
*** henrynash has quit IRC12:56
*** gordc has joined #openstack-keystone12:59
*** boris-42 has quit IRC13:02
*** gordc has quit IRC13:02
*** Ephur has joined #openstack-keystone13:03
*** gordc has joined #openstack-keystone13:04
*** mattfarina has quit IRC13:05
*** bknudson has quit IRC13:06
openstackgerritMarek Denis proposed openstack/keystone: Distinguish between unset and empty black and white lists  https://review.openstack.org/16479813:12
*** mattfarina has joined #openstack-keystone13:14
*** diegows has joined #openstack-keystone13:14
*** tqtran has quit IRC13:18
*** rushiagr_away is now known as rushiagr13:20
openstackgerritMerged openstack/keystone: Wrap apache-httpd.rst  https://review.openstack.org/16450513:24
openstackgerritMerged openstack/keystone: Remove SSL configuration instructions from HTTPd docs  https://review.openstack.org/16450713:24
*** richm1 has joined #openstack-keystone13:24
*** richm1 is now known as richm13:25
*** diegows has quit IRC13:25
*** bknudson has joined #openstack-keystone13:27
*** ChanServ sets mode: +v bknudson13:27
*** zzzeek has joined #openstack-keystone13:34
*** jistr|biab is now known as jistr13:39
*** boris-42 has joined #openstack-keystone13:41
*** krykowski has quit IRC13:43
*** csoukup has joined #openstack-keystone13:48
*** ishant has quit IRC13:48
*** fifieldt has quit IRC13:51
*** zzzeek has quit IRC13:52
*** iamjarvo has joined #openstack-keystone13:55
*** samueldmq is now known as samueldmq-away13:55
dolphmsamueldmq-away: git checkout fernet-tokens and run ansible again14:02
*** sigmavirus24_awa is now known as sigmavirus2414:08
*** samueldmq has joined #openstack-keystone14:11
*** angular_mike has joined #openstack-keystone14:13
*** nellysmitt has joined #openstack-keystone14:15
*** lhcheng_afk has joined #openstack-keystone14:16
*** iamjarvo has quit IRC14:18
*** iamjarvo has joined #openstack-keystone14:19
*** lhcheng_afk has quit IRC14:20
*** timcline has joined #openstack-keystone14:24
*** mestery has quit IRC14:27
openstackgerritDolph Mathews proposed openstack/keystone: URL quote Fernet tokens  https://review.openstack.org/16527914:36
openstackgerritMerged openstack/pycadf: update README.rst to include additional links  https://review.openstack.org/16523214:38
openstackgerritMerged openstack/pycadf: update README.rst to include additional links  https://review.openstack.org/16523214:38
dims_howdy folks - i see curl statements from keystoneclient.session in a whole bunch of server side logs - example http://paste.openstack.org/show/193133/14:49
morganfainbergdims_, saw the question in -nova was about to answer there14:49
dims_all sorts of goodies (tokens!) :)14:49
morganfainberg{SHA1}<thing> is a scrubbed token14:49
morganfainbergit's a sha1 of a token, you can't actually use it.14:50
morganfainbergwe went through... a bunch of discussions on the best way to represent that14:50
dims_whew ok14:50
morganfainbergyeah14:50
morganfainbergwe had the options of --Token-Redacted--14:50
morganfainbergetc14:50
morganfainbergetc14:50
*** browne has joined #openstack-keystone14:50
dims_guess the other side of the question was, is it worth logging curl statements server-side14:50
morganfainbergbut we needed a clear way to correlate the request to token use14:51
morganfainberge.g. token x was used for requests x, y, z14:51
*** tsufiev_ has left #openstack-keystone14:51
dims_k gotcha14:51
morganfainbergdims_, I'd say yes it is worth logging, as that is what is occuring. n-cpu is calling cinderclient: http://logs.openstack.org/74/163974/7/check/check-tempest-dsvm-full/b3b48d2/logs/screen-n-cpu.txt.gz#_2015-03-17_17_10_24_57114:52
morganfainbergi'd prefer to drop the "CURL" notation though tbh14:52
morganfainbergthat is more of a legacy debug hold-over14:52
dims_fair enough :)14:52
dims_+114:52
morganfainbergdims_, the nice thing is if you don't want to see it, you just need to exclude keystoneclient.session from logging at debug :)14:53
morganfainbergand it applies the same anywhere session is used14:53
morganfainbergrather than needing to guess what <insert client> chose to do.14:53
morganfainbergdims_, come to our meeting next week and ask / remind me about dropping curl notation?14:54
*** stevemar has joined #openstack-keystone14:54
*** ChanServ sets mode: +v stevemar14:54
morganfainbergdims_, https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting feel free to add yourself to our agenda too.14:54
morganfainbergdims_, alternative: mailing list.14:54
morganfainbergdims_, /me is about to hop on a plane in a few hours so....14:55
dims_morganfainberg: will drop in, adding my nick to attendee list14:55
morganfainbergdims_, awesome. thanks.14:55
dims_safe travels morganfainberg!14:55
morganfainbergdims_, ty!14:55
*** Bsony has joined #openstack-keystone14:55
*** Bsony_ has quit IRC14:57
morganfainbergstevemar, going to circle back up once i'm at the airport/on a plane...14:57
*** vhoward has joined #openstack-keystone14:58
morganfainbergstevemar, but... going to ask ya to review https://review.openstack.org/#/c/159229/ and the test followup early today.14:58
morganfainbergstevemar, we need to press go today if it's landing14:58
*** pnavarro has joined #openstack-keystone14:59
stevemarmorganfainberg, on it14:59
morganfainbergstevemar, tyvm14:59
marekdstevemar: what are you talking about (link?)14:59
stevemarmarekd, ?15:00
marekdstevemar: you and morganfainberg  :-)15:00
marekdif i may ask ofc15:00
morganfainbergmarekd, https://review.openstack.org/#/c/159229/15:00
stevemarmarekd, just to review  https://review.openstack.org/#/c/159229/15:00
morganfainbergmarekd, fernet15:00
marekdaaaaa, yeah, sorry, i think i going blind15:00
marekdsorry15:00
morganfainbergmarekd, or ... more coffee needed :P15:01
marekdalready had 450ml today ;/15:01
marekdwhich makes two big cups of strong coffee.15:01
morganfainbergmarekd, clearly a sign you must need more (to be fair, I always want more...)15:02
marekdheh15:02
*** ParsectiX has quit IRC15:10
*** Trozz has quit IRC15:10
stevemarmarekd, why are the sp tests not being cleaned up here: https://review.openstack.org/#/c/164605/15:10
*** Trozz has joined #openstack-keystone15:11
*** pnavarro has quit IRC15:13
*** pcaruana has joined #openstack-keystone15:19
*** pnavarro has joined #openstack-keystone15:24
*** browne has quit IRC15:30
*** nellysmitt has quit IRC15:32
*** _cjones_ has joined #openstack-keystone15:36
rodrigodsstevemar, ping... re: https://review.openstack.org/#/c/165079/15:39
*** pnavarro has quit IRC15:39
*** henrynash has joined #openstack-keystone15:40
*** ChanServ sets mode: +v henrynash15:40
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Clean arguments in test_federation.*.test_create()  https://review.openstack.org/16460515:40
rodrigodsstevemar, do you think this change isn't necessary even with the possibility of having blank values?15:40
rodrigodshenrynash, ping... did you our reseller FFE email? I think would be nice if you could respond it saying that you are going to sponsor its :)15:41
henrynashrodigods: sure, will do15:41
rodrigodshenrynash, thanks!15:41
*** ajayaa has quit IRC15:41
*** packet has joined #openstack-keystone15:41
stevemarrodrigods, yes, when would the user be able to put in blank values now?15:42
lbragstaddolphm: jorge_munoz bknudson it looks like the v2 token doesn't include the methods in the token response. V2 Unscoped: http://cdn.pasteraw.com/hgve20t5vutrkn71w7s2kqm60n2tmpk V2 Scoped: http://cdn.pasteraw.com/qe0u4988jrgdk8epbuw95g2f8ucon4o15:42
stevemarrodrigods, i agree that the sp migration is necessary (lost the link for that one)15:42
bknudsonlbragstad: the methods are removed in v3 to v2 conversion?15:43
lbragstadbknudson: they can't15:43
lbragstadbknudson: a v2 Fernet token would need to have those in order to validate it15:43
lbragstadbknudson: oh, wait... misread your question. Yes they are removed15:43
bknudsonlbragstad: can't what?15:43
rodrigodsstevemar, its a previous patch in the chain15:44
rodrigodsstevemar, nope, the user would not be able to create with blank values15:44
lbragstadbknudson: the 'methods' aren't included in the token_ref when we get it in the provider15:44
rodrigodsstevemar, we should consider that no one is using it between releases?15:44
rodrigodsstevemar, if so, that change isn't necessary15:45
bknudsonlbragstad: the methods get added here: https://review.openstack.org/#/c/159229/39/keystone/token/providers/fernet/core.py15:45
bknudsonand then it must just get removed again.15:45
lbragstadbknudson: we need the methods to pass to the token formatters15:45
bknudsonwhat if you validate a v2 token using v3?15:46
lbragstadbknudson: that's why we need the methods in the v2 token15:46
bknudsondo you get methods back?15:46
lbragstadbknudson: yes15:46
bknudsonso keystone lies?15:46
lbragstadbknudson: it doesn't look like keystone cares about methods with v2 but it does for v315:46
bknudsonright, so what happens if I get a v2 token, and then validate it using v3?15:47
bknudsondoes the validation response have methods?15:47
openstackgerrithenry-nash proposed openstack/keystone: Move backend LDAP role testing to the new backend testing module  https://review.openstack.org/15683015:48
lbragstadbknudson: yes, they are unpacked from the v2 token and populated on the way out of the v3 token validate response.15:48
bknudsonwhy is https://review.openstack.org/#/c/159229/39/keystone/token/providers/fernet/core.py doing "method_names.append('token')" when the methods don't matter?15:48
lbragstadbknudson: let me grab a trace15:48
bknudsonlbragstad: you just said the v2 token doesn't have methods.15:49
lbragstadbknudson: when you validate a v2 token using v2 validate, methods aren't included in the response15:49
bknudsonlbragstad: what if you validate a v2 token using v3?15:49
lbragstadbknudson: doing that now to get a trace15:50
dolphmbknudson: v2 token *validation responses* don't have methods - it's not part of the v2 api15:52
*** mestery has joined #openstack-keystone15:52
bknudsondolphm: what is v3 token *validation response* supposed to have if it's given a v2 token?15:53
lbragstadbknudson: here is a token response from V2 http://cdn.pasteraw.com/32ghfqjvvyhn4juytatpfanht2eo1y515:53
dolphmbknudson: open question? i think we should be able to support methods in the v3 response ("password" and "token" are appilcable to v2)15:54
bknudsondolphm: but keystone doesn't know what method was used?15:54
dolphmbknudson: as long as the v2 controllers indicate to the token provider what auth method was used, it can be encoded in the token15:54
dolphmbknudson: this would be new behavior for fernet though, i suspect a v2 token auth'd on v3 wouldn't have any auth methods?15:54
lbragstadbknudson: here is a response from V3 when validating said token above: http://paste.openstack.org/show/193157/15:54
dolphmany *other* v2 token15:54
lbragstaddolphm: I just recreated that scenario15:55
bknudsonI don't think this is new for fernet... uuid tokens have methods.15:55
dolphmlbragstad: and it's getting password, cool15:55
bknudsonohh, wait, if you got a uuid token from keystone it could have stored the methods anyways.15:55
dolphmlbragstad: try rescoping that token with v2, and validating the rescoped token on v315:55
dolphmbknudson: in v315:55
dolphmbknudson: right15:55
* dolphm (does anything even care about auth methods?)15:56
bknudsonI don't know if anyone cares about auth methods.15:57
stevemarrodrigods, we code for users upgrading between releases, not users who pick up kilo1 and want to switch to kilo315:57
bknudsonmaybe gyee?15:57
stevemarrodrigods, since SPs weren't in Juno, the only way we supports SPs is if you migrate to the latest federation db migration, which would force not-nullable urls15:58
*** thedodd has joined #openstack-keystone15:59
*** Akshik has joined #openstack-keystone16:02
*** samueldmq has quit IRC16:02
rodrigodsstevemar, ok, so I'll abandon that change16:03
openstackgerritRodrigo Duarte proposed openstack/keystone: Fix nullable constraints in service provider table  https://review.openstack.org/16418916:04
*** ayoung has joined #openstack-keystone16:04
*** ChanServ sets mode: +v ayoung16:04
rodrigodsstevemar, ^16:04
lbragstaddolphm: bknudson here is an unscoped token from v2 http://cdn.pasteraw.com/c20zzfr5v41uoe46353k4vn06f9jv4s16:05
lbragstaddolphm: bknudson here is the same token, rescoped using v2 http://paste.openstack.org/show/193158/16:05
bknudsonlbragstad: what if you validate that token using v3?16:05
stevemarrodrigods, ty16:05
lbragstaddolphm: bknudson and then validated with v3 http://paste.openstack.org/show/193159/16:05
bknudson"methods": [             "token",             "password"         ],16:06
lbragstadbknudson: dolphm boom16:06
bknudsonI assume you didn't actually use both token and password?16:06
bknudsonso keystone lied.16:06
lbragstadbknudson: that's because it was rescoped16:06
bknudsonoh, right.16:06
bknudsonso it's correct.16:06
marekdstevemar: i could defend myself that saying that it was not mentioned in the commit message, but the truth is I forgot about it.16:10
Akshikneed help in fixing shibboleth+keystone+testshib looping issue16:10
Akshikmy shibboleth2.xml is http://chunk.io/f/d58c54aae5d34170b8b8d5b471e9613b16:10
Akshikhttp://chunk.io/f/eed2697b6aec46b5a7ed116a50773326 is my shibd.log16:10
lbragstadbknudson: yep16:10
Akshikand my apache config  http://chunk.io/f/1503d8d820ee4b3d8d9ff98fd10890d2 http://chunk.io/f/043e37fa840a4ef79ec09582e65d0aea16:10
Akshikkindly guide me16:10
marekdAkshik: so, let's decompose your problem into smaller steps16:11
marekdAkshik: setup a federation without any Keystone/OpenStack involved16:11
*** browne has joined #openstack-keystone16:12
marekdAkshik: 2015-03-18 13:53:22 DEBUG XMLTooling.CredentialCriteria [1]: key algorithm didn't match ('AES' != 'RSA')16:12
stevemarmarekd, it's okay16:12
Akshikmarekd, yes i think the issue is with apache+sso, i dont see any request to keystone16:13
stevemarmarekd, can you answer my q about the remote_ids work?16:13
*** Bsony has quit IRC16:13
marekdstevemar: marco just did16:13
marekdi don't know if you had a chance to read it.16:13
stevemar\o/16:13
stevemari did not16:13
*** iamjarvo has quit IRC16:13
dolphmlbragstad: awesome!16:13
dolphmlbragstad: is that with fernet?16:14
lbragstaddolphm: yeah16:14
dolphmwoo16:14
lbragstaddolphm: using the new dynamically build format map16:14
lbragstad:)16:14
marekdis testshib generating shibboleth2.xml file with where adfs.so is loaded?16:14
dolphmi should have guessed fernet from 56.000000Z16:14
marekdAkshik: ^^16:14
dolphmlbragstad: response looks perfect to me16:15
lbragstaddolphm: I'll have to tip my hat to jorge_munoz for the v3 -> v2 token response conversion16:15
dolphmjorge_munoz: \o/16:15
marekdAkshik: ??16:17
Akshikmarekd,im not sure about that16:19
stevemarmarekd, one request for remote_ids, a simple one!16:19
marekdstevemar: let me look at the patch.16:19
Akshikmarekd, is it required,16:20
marekdAkshik: no.16:20
marekdAkshik: did you use shibboleth2.xml file generated by testshib?16:20
openstackgerrithenry-nash proposed openstack/keystone: Support upload domain config files to database  https://review.openstack.org/16036416:20
* marekd World/IRC doesn't seem so lonely anymore when U.S is awake16:21
Akshikmarekd, no i used the one thats present and have customised like the one mentioned in the openstack docs16:22
openstackgerritMarco Fargetta proposed openstack/keystone: IdP ID registration and validation  https://review.openstack.org/15215616:23
openstackgerritLance Bragstad proposed openstack/keystone: Add inline comment and docstrings fixes for Fernet  https://review.openstack.org/16548916:23
lbragstadbknudson: address your last few comments in a follow on patch ^16:23
marekdAkshik: so, i suggest for the first time using what testshib generates for you, and customizing that one.16:23
Akshikmarekd, the one generated by testshib will not have override, if thats not there im not sure on how do we call that from the browser16:25
marekdAkshik: sorry, i didn't understand.16:25
marekdAkshik: the default one is for browsers16:26
Akshik115.112.68.53:5000/v3/OS-FEDERATION/identity_providers/testshib/protocols/saml2/auth is how i call it from browser16:26
marekdAkshik: yes.16:26
Akshikwhere testshib is the applicationoverride id16:26
Akshikmarekd, let me try the default shibbloth2.xml from testshib and update the result16:27
marekdAkshik: good idea, i think most of us tried it and essentually it worked.16:27
marekdthen we can carry on with more advanced configuration.16:28
Akshikmarekd, sure let me do that first16:28
*** ajayaa has joined #openstack-keystone16:32
dolphmlbragstad: jorge_munoz: so you should actually be able to validate v3 tokens on v2, to an extent16:32
lbragstaddolphm: are we going to support that?16:33
dolphmlbragstad: jorge_munoz: as long as the user involved is in the default domain, the project involved is in the default domain, and it's not a domain scoped token16:33
dolphmif any of those checks should fail, you have to raise 401 because a v2 client wouldn't be able to safely handle the response, because it wouldn't understand naming conflicts that might occur as the result of higher levels of scope16:34
dolphmlbragstad: that's literally the only purpose of the default domain :) to provide a single boundary in v3 that v2 can safely operate on16:35
*** mattfarina has quit IRC16:36
*** zzzeek has joined #openstack-keystone16:38
*** mattfarina has joined #openstack-keystone16:38
ayounghenrynash, what is the definition of a "sensitive substitution?"16:41
*** Bsony has joined #openstack-keystone16:42
*** sigmavirus24 is now known as sigmavirus24_awa16:42
henrynashayoung: as per the spec, it’s when you want to include one of the sensitve options (e.g. password) in an option that is not, in and of itself, sensitive (e.g. url)16:42
henrynashayoung: we never return the subsutituted result via REST, we just use it internally to pass to, say, the ldap driver16:43
ayounghenrynash, the reason I ask is we have a wider request to remove passwords from config files across the board...is this the start of that effort?16:43
*** gyee has joined #openstack-keystone16:43
*** ChanServ sets mode: +v gyee16:43
ayoungLIke, the whole Keystone conf has to be hidden because it has the mysql password in it16:43
henrynashayoung: yes, it can be used to do that…the current admin password for ldap wou;n’t ahve to be in the config file16:44
ayounghenrynash, but we are still stuck on the mysql one, right?16:44
henrynashayoung: right now, yes….well…thinking about it....16:45
ayoungcool...btw, patch looks good16:45
ayounghenrynash, also, learn the chord changes to Layla.16:45
ayoungmakes a great blues jam16:45
henrynashayoung: right now we don’t allow the sql options to be supported…but we could….but of course it can’t be on a domain by domain basis (since we only can have one sql driver at the moment)16:45
henrynashayoung: ok…:-)16:46
ayounghenrynash, keep it in mind...it would have to be something for oslo config eventully16:46
henrynashayoung: yes, agreed16:46
Akshikmarekd, Unable to map non-default applicationId to an ApplicationOverride, check configuration.16:47
ayounghenrynash, the origianl thought was that we needed to be able to encrypt values in files, but that leads to the question of where do we put the decryption key16:47
Akshikis the error i get while using the default xml provided by test shib16:47
henrynashayoung: yeah, chicken and egg, within an egg, within an…16:48
ayoungTurtles16:48
ayoungTurtles all the way down16:48
ayounghenrynash, +2A16:49
henrynashayoung: thx16:49
henrynashayoung: yep, Feynman had it right (well, his heckler did)16:50
ayounghenrynash, I've held off on writing the spec until I had a good grasp on what it should look like16:51
ayounghenrynash, I know that you can do something where you need human interaction to start the service, and you can do some other hacky things where a key kept in an external directory16:55
ayoungseems like something should be from systemd: fetch ther key from secure store outside of /etc/httpd and pass it in at start up16:55
henrynashayoung: it’s that balance…you want separte stores (or you’re not incresing security by moving the key)…but need to beware of least commonly secure link in teh chain16:57
*** jproulx1 has joined #openstack-keystone16:58
morganfainbergMornin-ish16:58
*** openstackgerrit has quit IRC16:59
*** openstackgerrit has joined #openstack-keystone16:59
jproulx1hate to ask here but no luck on mail list or ask.openstack17:01
jproulx1trying to use v3 python binding per example at http://docs.openstack.org/developer/python-keystoneclient/using-api-v3.html#authenticating-using-sessions but getting 'EndpointNotFound17:01
jproulx1anyone have a couple minutes to look at https://ask.openstack.org/en/question/63180/endpointnotfound-errors-with-keystone-v3-python-api/ and see what I'm screwing up?17:01
ayoungjproulx1, Endpoint Not Found ...17:01
ayoungjproulx1, two things come to mind17:02
jproulx1(note v3 is working with openstack cli and horizon for me)17:02
ayoungone is that the authentication is messed up if you still have OS-SERVICE_ENDPOINT set17:02
ayoungit might be that you are accidentally doing admin topken17:02
ayoungtoken17:02
ayoungnah...17:02
ayoungreading now17:03
jproulx1ayoung many thanks for looking17:03
ayoungjproulx1, what is your endpoint set to?17:03
ayoungjproulx1, the keystone endpoint, that is17:03
*** iamjarvo has joined #openstack-keystone17:04
jproulx1in the catalog it's set to https://<host>:<port>/v217:04
ayoungjproulx1, "catalog endpoint is v2 "17:05
*** iamjarvo has quit IRC17:05
ayoungright...so the client is supposed to do discovery17:05
*** _cjones_ has quit IRC17:05
ayoungit should be able to deal with this17:05
ayoungjproulx1, can you modify the server, or is this a production machine?17:05
*** iamjarvo has joined #openstack-keystone17:05
jproulx1I also created an identityv3 endpoint and tried setting endpoint_filter to find it but couldn't find the right place17:05
jproulx1it's a production setup so I can't (well fear) just swithcing the identity endpoint :)17:06
stevemarjproulx1, is it https://<host>:<port>/v2 or https://<host>:<port>/v2.0 ?17:06
jproulx1oh sorry v2.017:06
stevemarjproulx1, i saw your email on the ML but didn't have the time to reply back17:07
stevemargood call coming on irc17:07
*** jistr has quit IRC17:08
ayoungjproulx1, so, it looks like discovery is failing here.   You know how to debug in python?  YOu could potentially confirm that by putting a breakpoint in the client code17:08
ayoungjproulx1, I assume all client code etc is up to date?17:09
ayoungrelatively speaking...17:09
*** lhcheng_afk has joined #openstack-keystone17:09
ayoungno Cactus or Essex era code here17:09
jproulx1relative to juno release17:09
ayoungdiscovery should be good there17:10
*** _cjones_ has joined #openstack-keystone17:10
*** sigmavirus24_awa is now known as sigmavirus2417:10
stevemarjproulx1, might be worth printing the contents of the client.Client() instance to see whats going on17:10
jproulx1ayoung my python-fu is weak17:10
*** topol has quit IRC17:11
ayoungjproulx1, http://adam.younglogic.com/2015/02/debugging-openstack-with-rpdb/17:11
ayoungalthough you could probably get away with just17:12
jproulx1how do I dump that <keystoneclient.v3.client.Client object at 0x7f5ed4959690> isn't very helpful17:12
ayoungimport pdb; pdb.set_trace() if you are running from the command line17:12
jproulx1ayoung thanks for the link will read, & I am in command line.17:12
ayoungdir(object)  shows the variabels17:12
ayoungyeah, ropdb is more for debuggin server17:13
ayoungit sets up a socket for telnet, but it is pdb under the covers17:13
* ayoung can't type17:13
ayoungI'd put the breakpoint right before keystone.users.list()17:13
ayoungand then step through...although you can probably get closer to the right point...17:14
ayoungits going to be at the endpoint lookup of the service catalog....17:14
ayounglink in a sec17:14
jproulx1http://pastebin.com/MFW9zGSL maybe my object is empty looks like keys no values?17:14
*** samueldmq-away is now known as samueldmq17:15
ayoungjproulx1, those are the variable names, so17:16
samueldmqdolphm, you around? I found something when running those tests from keystone-deploy17:16
ayoungkeystone.service_catalog  etc17:16
dolphmsamueldmq: what's up17:16
ayoungjproulx1, I'm sure there is a better way to dujmp the object state without modifying the object17:16
ayoungjust that is a sure thing...basic python17:17
ayoungjproulx1, the person who knows this code cold is jamielennox , but he is in Australia and won't bu until around 4pm Eastern17:17
samueldmqdolphm, i) I deployed the server with 'sudo python setup.py install && sudo service apache2 restart'17:17
samueldmqdolphm, ii) I ran only the test test_token_rescoping, it passes17:18
dolphmsamueldmq: with which branch, btw?17:18
jproulx1will dig around a bit with pointers given and come back around Aussie AM if I can't sort it out by then17:18
samueldmqdolphm, if I re-run it, it won't pass anymore ... I always get :17:18
samueldmq[Wed Mar 18 12:22:10 2015] [error] 2015-03-18 12:22:10.863 23791 WARNING keystone.common.wsgi [-] Could not find project: 06277831609f42d1ab4c3184d42ee47417:18
jproulx1Thanks all17:18
samueldmqdolphm, where this id is the id from the project created when I ran the first time17:19
samueldmqdolphm, I downloaded your code from review '165279'17:19
dolphmsamueldmq: i mean which branch of keystone-deploy?17:19
ayoungjproulx1, it feels like it is a bug in discovery, as the clinet code should be smart enough to hack off the v2.0,  but maybe it is just trying to get /v2.0/v317:20
ayoungI think there is some way to crank up logging, or you could look on the wire, and see what it is actually requesting17:20
samueldmqdolphm, I think I had master .. oh .. but I set up Fernet tokens by myself (running keystone manage)17:21
ayoungjproulx1, but..endpoint niot found looks like it is loking for a match in your service catalog, and the Keystone server is not defined. Are you using the endpoint filtering extension on the keystone server:?17:21
ayoungAre you sure you have an idenityt endpoint coming back?17:21
ayoungjproulx1, you can do something like this:  http://docs.openstack.org/developer/keystone/api_curl_examples.html17:22
ayoungand, if the output is too hard to read...  pipe it to pythom -mjson.tool17:22
openstackgerritLance Bragstad proposed openstack/keystone: Cleanup Fernet testcases and add comments.  https://review.openstack.org/16552017:22
ayoungI think...17:22
ayoungI tend to use jq for json parsing17:22
*** amakarov is now known as amakarov_away17:23
samueldmqdolphm, yes, I am on master of keystone-deploy, and I ran keystone-manage by myself, in order to set up Fernet tokens17:24
dolphmsamueldmq: the branches are almost the same, but "git diff master fernet-tokens" shows what you need to do to switch to deploy17:25
dolphmsamueldmq: which test failed with project not found?17:25
openstackgerritLance Bragstad proposed openstack/keystone: Cleanup Fernet testcases and add comments.  https://review.openstack.org/16552017:27
jproulx1ayoung no endoint filtering on the server, if I pass an endpoint_filter to the session object 'sess' and do sess.get('/users', endpoint_filter=<stuff>) I cna get a user list17:27
*** harlowja_away is now known as harlowja_17:27
samueldmqdolphm, in few words, what I am having is: I can't get an unscoped token after getting a project scoped token, because it says ProjectNotFound (for the project I got a scoped token before --and deleted after that--)17:27
dolphmsamueldmq: lbragstad: also just added some v2 test coverage to keystone-deploy17:28
ayoungjproulx1, but you are explicitly asking for the  v3 endpoint you added right?17:28
jproulx1ayoung yes17:28
ayoungidentityv317:28
samueldmqdolphm, ok then, please re-deploy your keystone server with  'sudo python setup.py install && sudo service apache2 restart'17:28
samueldmqdolphm, and run only test_token_rescoping17:28
ayoungjproulx1, let me test against my server...17:28
*** lhcheng_afk is now known as lhcheng17:29
samueldmqdolphm, and try to run it again after that17:29
openstackgerritLance Bragstad proposed openstack/keystone: Add inline comment and docstrings fixes for Fernet  https://review.openstack.org/16548917:29
samueldmqdolphm, maybe it's jsut my configuration (I hope)17:29
dolphmsamueldmq: i replaced that test with some more granular rescoping scenarios17:29
openstackgerritLance Bragstad proposed openstack/keystone: Cleanup Fernet testcases and add comments.  https://review.openstack.org/16552017:29
lbragstaddolphm: sweet17:29
dolphmsamueldmq: lbragstad: i'm applying a few patches from gerrit to my deploy, and i'll test it all at once (v2, auth methods, my bug fixes)17:29
ayoungjproulx1, OK...I've got devstack running...17:30
ayounglets see17:30
lbragstaddolphm: nice!17:30
ayoungjproulx1, wjhat is your auth_url?17:30
ayoungends with /V2.0 as well?17:30
jproulx1ends with /v317:31
ayoungjproulx1, ok, try this17:31
ayoungopenstack --os-identity-api-version=3   user list17:32
samueldmqdolphm, nice.. I'll be able to try something later as well17:32
jproulx1ayoung that works fine and has right along17:32
ayoungso it is just a problem with doing it programmatically?17:32
* ayoung a little slow17:32
jproulx1yes, it seems very much me17:32
ayoungOK...let me try your code17:33
dolphmlbragstad: samueldmq: i'm getting several 401's instead of 200's17:33
dolphmsamueldmq: no ProjectNotFounds though17:33
lbragstaddolphm: for v2?17:34
dolphmlbragstad: both v2 and v317:34
dolphmlbragstad: with my patch and the entire other sequence applied, starting with v2 support17:34
ayoungjproulx1, BTW, I have some env var code you might want to use17:34
ayounghttps://review.openstack.org/#/c/82687/20/examples/scripts/initialize_keystone.py,cm17:34
lbragstaddolphm: check that its not blowing up on the token?17:35
ayoungah, but you source a file...17:35
dolphmlbragstad: ++ i'm debugging17:35
jproulx1ayoung, I have some I scraped off the internet to munge shell variable files to python but will check that too17:36
ayoungwhere is that 'source' call defined?17:36
jproulx1lemme post the whole thing...17:36
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Improve feedback message in SSL error  https://review.openstack.org/12976917:36
samueldmqdolphm, k .. I got 401 on subsequent calls (the first one works)17:36
samueldmqdolphm, I see ProjectNotFound on keystone error log17:37
dolphmsamueldmq: is the first one an unscoped token request?17:37
dolphmsamueldmq: i see that too - i sent you a diff last night that i thought didn't do anything, but that might be the trick, let me find it17:37
samueldmqdolphm, that test had several calls inside it: the first one is unscoped, the others are scoped17:38
samueldmqdolphm, let me put a public ip on my machine, and then I will have you access, so that you can check quicker, ok?17:38
*** rdo has joined #openstack-keystone17:38
jproulx1ayoung here's an actual paste of everything I'm running http://pastebin.com/Bc56SP2j17:38
dolphmsamueldmq: will you try applying this to keystone-deploy? $ curl http://cdn.pasteraw.com/l9hqpyloyd34lirdapsoay0dskj89aj | git apply17:38
samueldmqdolphm, will do now17:39
dolphmsamueldmq: it'll unfortunately leave your database with extra endpoints that are never cleaned up, but it also preserves the account that auth_token is using to validate tokens for the duration of the test run17:40
ayoungjproulx1, got a different error, but similar17:40
ayoungjproulx1, I wonder if we need that env var to be passed in as well17:41
samueldmqdolphm, well.. verified ! : )17:42
dolphmsamueldmq: it passed?17:42
samueldmqdolphm, it just works o/17:42
dolphmsamueldmq: awesome, so my test suite is broken :)17:42
samueldmqdolphm, yep .. I don't know exactly why ... but it is17:43
dolphmsamueldmq: i'll pretty-up the patch you just applied and get it in17:43
samueldmqdolphm, ++17:43
jproulx1ayoung tried grepping around for a place to specify IDENTITY_API_VERSION in code but couldn't find it, guessed that the fact I was calling v3 directly meant I didn't need it17:43
ayoungjproulx1, it is parsed in the keystone client code17:43
*** nellysmitt has joined #openstack-keystone17:44
ayoungjproulx1, http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/shell.py#n14517:45
ayoungsomet hing like that...although that is deprecated code17:45
jproulx1ayoung, so even in pythoncode I need the shell environment to have that? sounds icky17:47
ayoungno17:47
ayoungjproulx1, I'm seeing where it gets passed.17:47
ayoungI think it goes to the client constructor17:47
*** tqtran has joined #openstack-keystone17:48
ayoungjproulx1, ok ... I think we need version='v3' or something17:48
jproulx1Hmm, just source the shell bits so the env was right for the cli & still same endpoint error with python code17:48
jproulx1export OS_IDENTITY_API_VERSION=3  works with cli17:49
ayoungjproulx1, just like the other env vars, it needs to be explicitly passed on17:50
ayoungI'm seeing a different error, but try17:50
ayoungkeystone = client.Client(version=os_auth[`OS_IDENTITY_API_VERSION`] , session=sess)17:51
jproulx1Ah, ok I'd been trying to fit it in the session somehow (and failing)17:53
jproulx1lemme try17:53
ayoungyeah...its not a session thing, because it is not common across all clients. You are trying explicitly to make a keystone call here17:53
ayoungit just wokred for me.17:54
*** ayoung is now known as ayoung-afk18:02
jproulx1ayoung I'm still not getting it:18:02
jproulx1keystone = client.Client(session=sess,version='3')18:02
jproulx1still same error18:02
*** ajayaa has quit IRC18:11
dolphmsamueldmq: just pushed new tests to all branches18:14
dolphmlbragstad: fernet, with all patches currently in review passes everything including v2 support and rescoping in all directions18:15
dolphmlbragstad: i'm only validating v2 tokens on v3 though - not doing anything in the other direction18:16
* dolphm lunch18:18
lbragstaddolphm: nice!18:23
jproulx1ayoung-afk fwiw firing up my test cluster and switching identity enpoint to be explicitly /v3 does work, still no luck with various things passed as version=[3,'3','v3'] to client.Client ...18:29
*** ayoung-afk is now known as ayoung18:30
*** afazekas has quit IRC18:31
ayoung$ echo $OS_IDENTITY_API_VERSION18:31
ayoungv318:31
ayoungjproulx1, ^^18:31
ayoungkeystone = client.Client(version='v3', session=sess)18:32
*** _cjones_ has quit IRC18:32
*** _cjones_ has joined #openstack-keystone18:32
ayoungbut it works for me even if I don't pass that18:32
ayoungjproulx1, in mysql, what do you get from this query18:35
ayoung select url from endpoint where service_id = (select id from service where type = 'identity');18:35
ayoungjproulx1, try it with the latest version of the keystone client.  Maybe what you have is old and missing the essential code18:38
jproulx1+------------------------+18:38
jproulx1| url                    |18:38
jproulx1+------------------------+18:38
jproulx1| http://host:5000/v2.0  |18:38
jproulx1| http://host:5000/v2.0  |18:38
jproulx1| http://host:35357/v2.0 |18:38
jproulx1+------------------------+18:38
jproulx1on test cluster now I'll pull latest keystone there & see if it fixes...18:39
samueldmqdolphm, ack, will take a look later, thanks18:41
samueldmq:-)18:41
*** rushiagr is now known as rushiagr_away18:46
*** jaosorior has quit IRC18:52
*** stevemar has quit IRC18:53
*** stevemar has joined #openstack-keystone18:53
*** ChanServ sets mode: +v stevemar18:53
*** diegows has joined #openstack-keystone19:09
*** cburgess has quit IRC19:10
*** cburgess has joined #openstack-keystone19:11
*** nellysmitt has quit IRC19:12
*** _cjones_ has quit IRC19:16
*** _cjones_ has joined #openstack-keystone19:16
dolphmayoung: is pki / pkiz being tested in the integrated gate anywhere?19:19
jproulx1ayoung thanks for all your time, looks like crufty code, spun up a clean VM pip installed python-keystoneclient & it just works...19:19
openstackgerritMerged openstack/python-keystoneclient: Clean arguments in test_federation.*.test_create()  https://review.openstack.org/16460519:19
*** Akshik has quit IRC19:21
openstackgerritBrant Knudson proposed openstack/keystone: Update Apache httpd config docs for token persistence  https://review.openstack.org/16450819:33
openstackgerritBrant Knudson proposed openstack/keystone: Update sample httpd config file  https://review.openstack.org/16451019:33
*** boris-42 has quit IRC19:37
ayoungdolphm, it was the default.  Now that it is not, I suspect it is not tested19:39
ayoungjproulx1, good to hear19:39
*** krtaylor has quit IRC19:39
*** comstud has quit IRC19:39
*** cyeoh has quit IRC19:39
*** lbragstad has quit IRC19:39
*** lbragstad has joined #openstack-keystone19:40
*** cyeoh has joined #openstack-keystone19:41
*** comstud has joined #openstack-keystone19:41
*** krtaylor has joined #openstack-keystone19:41
*** gyee has quit IRC19:41
*** boris-42 has joined #openstack-keystone19:42
*** timcline has quit IRC19:44
*** chrisshattuck has joined #openstack-keystone19:44
*** diegows has quit IRC19:44
*** diegows has joined #openstack-keystone19:45
*** timcline has joined #openstack-keystone19:45
*** diegows_ has joined #openstack-keystone19:50
*** diegows has quit IRC19:53
lbragstadmorganfainberg: since k-3 is coming up, here is a list of all open bugs in keystone since November 6th of last year: http://keystone-weekly-bug-report.tempusfrangit.org/weekly-bug-reports/keystone-open-bugs-since-2014-11-6.html19:54
*** chrisshattuck has quit IRC19:54
stevemarlbragstad, change your nick name to capt.buzzkill19:54
lbragstadstevemar: :)19:55
*** devlaps has joined #openstack-keystone19:55
*** zigo__ has joined #openstack-keystone19:56
*** zigo has quit IRC19:56
dolphmstevemar: on the bright side, those are only the bugs that are still open19:57
dstaneklbragstad: that's quite a bit19:57
*** sigmavirus24 is now known as sigmavirus24_awa19:57
lbragstadstevemar: gotta tag the bugs with milestones!19:58
lbragstaddstanek: yeah,19:58
dstaneklbragstad: feels like a good weekend project19:59
lbragstaddstanek: ++19:59
lbragstaddstanek: just parsing the individual bugs, and trying to give a first pass at triaging19:59
dstanektraining is over and now i feel trained20:00
lbragstaddstanek: I'm happy your officially trained in OpenStack :)20:00
dstaneklbragstad: did you go through the training?20:01
bknudsondstanek: what was the training?20:01
lbragstaddstanek: no, I'll have to check if I can, I would like to20:01
bknudsonlbragstad: apparently you have to be there a couple years first.20:01
dstanekbknudson: it was an introduction to openstack - we basically setup and configured the services by hand20:01
bknudsondstanek: and filed lots of bugs...20:02
bknudsonwhy is this so hard?20:02
bknudsondstanek: including neutron?20:02
dstanekbknudson: yes20:02
bknudsondstanek: cinder with different backends?20:03
lbragstaddstanek: did the class offer ibuprofen for that section?20:03
bknudsondstanek: TLS ?20:03
morganfainbergayoung, i expect to solve the PKI(z) and Fernet testing next week20:03
dstanekbknudson: only a single backend and no TLS20:03
bknudsondstanek: keystone in apache?20:03
ayoungsounds good20:03
morganfainbergin gate jobs20:03
morganfainbergthat is20:03
morganfainbergnot just unit20:03
openstackgerritMerged openstack/keystone: Enable sensitive substitutions into whitelisted domain configs  https://review.openstack.org/15992820:09
morganfainberglbragstad, dolphm, jorge_munoz, just pressed the go button on the last of the fernet patchsets20:11
dolphmmorganfainberg: oh cool!20:11
lbragstadmorganfainberg: ++20:11
morganfainbergthis does not address the urlsafe issue, the v2.0 and subequent test update(s)20:12
dolphmmorganfainberg: ?20:12
morganfainberglooks like adam +2'd the urlsafe thing20:12
morganfainberghttps://review.openstack.org/#/c/165279/5/keystone/token/providers/fernet/token_formatters.py20:13
morganfainbergthat is gating ayoung +2A'd it20:13
morganfainbergi was commenting i hadn't circled up on that one yet20:13
morganfainbergturns out i don't need to20:13
dolphmmorganfainberg: i'm happy to write more code if necessary :P20:13
dolphmi'd actually still like to do some more refactoring on the payloads...20:14
morganfainbergdolphm, cleanup on payloads and merging the test classes together should be just cleanup work that can happen post k320:14
*** openstackgerrit has quit IRC20:14
*** openstackgerrit has joined #openstack-keystone20:15
dolphmmorganfainberg: i'll be AFK next week, and on/off the week after though, so now is my chance to get that stuff into review20:16
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: API changes for Reseller  https://review.openstack.org/15300720:16
stevemardolphm, does cody bunch lurk on irc?20:17
dstanekbknudson: yes, we were using Apache20:17
dstaneknice, according to the release-blocking reviews page that lots has been +Ad!20:19
*** diegows_ has quit IRC20:19
dolphmstevemar: i'd assume yes, but i do not know his handle20:19
stevemardarn20:20
*** sigmavirus24_awa is now known as sigmavirus2420:22
morganfainbergbknudson, https://pythonhosted.org/setuptools/setuptools.html#declaring-extras-optional-features-with-their-own-dependencies20:23
bknudsonmorganfainberg: is that something new?20:23
bknudsonand, does it work with our requirements.txt ?20:23
dstanekbknudson: not new and it's an alternative to requirements.txt (at least for the optional ones)20:24
dstanekmorganfainberg: can pip deal with that?20:24
morganfainbergbknudson, i don't think we populate it20:25
morganfainbergbut its in setuptools.20:25
morganfainbergnot sure when it was added20:25
bknudsonhow is it going to be checked against global-requirements, and updated automatically?20:26
morganfainbergbknudson, i'm digging into some other requirement related things, but i ran across that20:26
morganfainbergthought it was interesting20:26
dstanekbknudson: couldn't we do it the same way using a different script?20:26
morganfainbergdstanek, i don't think pip knows anything about it.20:26
dstanekmorganfainberg: that's what i thought - maybe it would be a good patch :-)20:27
morganfainberg++20:28
morganfainberginteresting20:32
morganfainbergpbr has some things that could be made to tweak this into working i think.20:32
bknudsonenough pbr makes everything look easy.20:33
dstanekayoung: so do you have an opinion and what do do about the revoke-by-grant for federation tokens?20:34
*** Bsony has quit IRC20:34
lbragstaddolphm: morganfainberg https://etherpad.openstack.org/p/keystone-kilo-bug-list20:35
morganfainbergehterpad is particularly painful to load on a plane :(20:36
lbragstaddolphm: morganfainberg I'll attempt to chip away at this20:36
lbragstadin my free cycles20:36
dolphmmorganfainberg: you need my fork of etherpad then ;P20:37
morganfainbergdolphm, lol20:37
*** Bsony has joined #openstack-keystone20:38
ayoungdstanek, ignore it?20:43
dstanekayoung: it doesn't actually cause a security issue right?20:43
ayoungdstanek, all federation tokens have the groups in them, so in theory we could build a revoke by group  mechanism, but I don't have the time to do it right now20:43
ayoungand everyone else is deathly afraid of the revoke tree20:44
ayoungdstanek, do you think it is a security issue?  It probably means that there is at least a surprising behavior in the Federation code base20:51
ayoungThis is broken now, so nothing new, but yeah, a group that loses an assignment will not cause the user tokens to be invalidated.20:52
openstackgerrithenry-nash proposed openstack/keystone: Support upload domain config files to database  https://review.openstack.org/16036420:56
henrynashayoung, lbragstad: fixed pep8 issues with https://review.openstack.org/160364 - if you’re OK to re-apply +2/A that would be great20:58
henrynashayoung, lbragstad: no other chanegs20:58
henrynashlbragstad: thx20:59
lbragstadhenrynash: yep!20:59
ayounghenrynash, done21:01
henrynashayoung: thx21:02
*** Bsony has quit IRC21:06
*** mattfarina has quit IRC21:07
*** samueldmq is now known as samueldmq-away21:09
lbragstadhenrynash: this is targeted for k-3 https://bugs.launchpad.net/keystone/+bug/141526821:13
openstackLaunchpad bug 1415268 in Keystone "Testing of backend list_role_assignments needs to be improved" [Medium,In progress] - Assigned to Samuel de Medeiros Queiroz (samueldmq)21:13
lbragstadhenrynash: do the reviews associated with that need to be added to https://gist.github.com/dolph/651c6a1748f69637abd021:13
lbragstadcc morganfainberg ^21:14
*** edmondsw has joined #openstack-keystone21:14
*** iamjarvo has quit IRC21:16
edmondswdolphm... can't figure out your rejection of bug 1431015. There aren't separate policy actions associated with requests that include vs. lack the domain_id query param21:19
openstackbug 1431015 in Keystone "v3/users or groups calls not working without domain_id" [Undecided,Invalid] https://launchpad.net/bugs/1431015 - Assigned to lilly (lilly-spandanabarukula)21:19
*** angular_mike is now known as new21:20
edmondswdolphm... can you explain?21:20
dolphmedmondsw: the call is intended to be used with a domain scope or fail, right? cc- henrynash21:21
*** samueldmq has joined #openstack-keystone21:22
openstackgerritMarek Denis proposed openstack/keystone: Remove SELinux section from httpd config  https://review.openstack.org/16451521:22
dolphmedmondsw: also forgot an important word! https://bugs.launchpad.net/keystone/+bug/1431015/comments/521:22
openstackLaunchpad bug 1431015 in Keystone "v3/users or groups calls not working without domain_id" [Undecided,Invalid] - Assigned to lilly (lilly-spandanabarukula)21:22
stevemaredmondsw, now i know your irc handle too21:24
stevemaredmondsw, i kept getting side tracked with other things, verifying ksm audit middleware now21:24
edmondswdolphm, the user is presenting domain authorization here...21:24
dolphmlbragstad: morganfainberg: whoops, i've been removing bugs from the etherpad, per the original instructions, as i triage them21:24
edmondswstevemar, tx21:25
lbragstaddolphm: no worries21:25
dolphmedmondsw: it's a project scoped token in the bug reoprt21:25
lbragstaddolphm: I'm marking as triaged just so my work can be double-checked21:25
edmondswdolphm, the project is within a domain...21:25
lbragstaddolphm: I'm fine if you or morganfainberg validate and remove from the list21:26
dolphmedmondsw: right, just to provide namespacing to the project. you can also have a token which expresses domain-level authorization (there's no project involved)21:26
lbragstadmorganfainberg: dolphm Ideally we should have a list of bugs we need to talk about by the end of the list, at which point I can tag with meeting or something.21:26
edmondswdolphm... sure you can... but you shouldn't have to. And don't... the same auth token works if I make the same request but specify the domain_id query param21:27
*** __TheDodd__ has joined #openstack-keystone21:27
dolphmlbragstad: target all the ones that should be discussed / investigated to rc1 to be safe?21:27
lbragstaddolphm: ++21:27
lbragstaddolphm: we can remove it later if needed21:27
dolphmlbragstad: worse case, they get untargetted without fixing them, but they're guaranteed not to get lost that way21:27
edmondswdolphm, so the token is authorized to make the request for this domain... no vulnerability here, just a usability issue21:28
*** thedodd has quit IRC21:28
dstanekmorganfainberg: what to do about https://review.openstack.org/#/c/141267 ?21:28
dolphmedmondsw: does it work with the alternative policy file?21:28
edmondswdolphm, what do you mean?21:29
lbragstadthe v3 specific policy file?21:29
lbragstadhttps://github.com/openstack/keystone/blob/25d742ada803d8501e7c004242a625efd07fcaf6/etc/policy.v3cloudsample.json21:29
dolphmlbragstad: they're both basically v3-specific21:29
dolphmlbragstad: that one you linked to just utilizes of the authorization flexibility afforded by v321:30
dolphmmore of the*21:30
lbragstadah, gotcha21:30
dolphmedmondsw: if there's really not a security concern, then the usability issue boils down to: both your project-scope and user account have domain scopes, so what should keystone do if those are both different domains?21:30
stevemardolphm, you making my ecp bug a wishlist item!21:31
dolphmstevemar: the one to add a convenience API?21:31
*** jamielennox is now known as jamielennox|away21:31
edmondswdolphm, is it possible to have a user in domain x accessing a project in domain y? Seems like that would be a vulnerability...21:32
dolphmedmondsw: yes, if they're granted explicit authorization to do so21:32
edmondswdolphm, so what would be allowed today, if I specified the domain_id query parameter? Only work for the user's domain, only work for the porject's domain, or work for both, or only work if both are the same?21:35
openstackgerritMerged openstack/python-keystoneclient: Allow passing logger object to request  https://review.openstack.org/15764721:35
edmondswdolphm, I was assuming the projects domain would be the one that we'd use here... if the user is in a different domain, so be it, but their token is scoped to the project and thus to the domain in which that project resides21:36
dolphmedmondsw: "and thus to the domain" <-- that's not true at all21:37
dolphmedmondsw: the original use case, IIRC: a domain-scoped token requesting the list of users in a domain: the query paramater should match the token's domain scope, and policy.json can enforce that21:38
edmondswdolphm, if you were saying that this token shouldn't be usable to query things at the domain level, I could understand that.21:38
edmondswdolphm, but it is currently usable to do just that... all you have to do is specify the domain_id query param21:38
edmondswdolphm, so if the user isn't validated for the domain, that's a security vulnerability21:38
dolphmedmondsw: correct, with the policy file linked above you'll see rules like, "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",21:38
dolphmedmondsw: that depends on your policy.json21:39
edmondswdolphm, ok, let me study this policy.json21:39
*** browne has quit IRC21:39
*** browne has joined #openstack-keystone21:40
*** henrynash has quit IRC21:41
*** henrynash has joined #openstack-keystone21:41
*** ChanServ sets mode: +v henrynash21:41
*** samueldmq has quit IRC21:41
edmondswdolphm, so let's say we have a rule that explicitly checks for the domain on the token like that... then that check should happen and fail if the token isn't domain scoped, I agree21:42
*** devlaps has quit IRC21:43
edmondswdolphm, but can we not do the policy check and then add the domain_id afterward if that passed and the user didn't specify the domain?21:46
edmondswdolphm, so if someone wants to setup their policy to require the domain in the token, they can do that... but for those that don't, the domain can be inferred21:47
edmondswdolphm, I want to move from a single domain to having 1 domain for end-users and a separate domain for service users, so they can use different identity backends21:48
edmondswdolphm, and I don't want users to have to deal with asking for tokens differently now21:48
*** tqtran is now known as tqtran_afk21:48
openstackgerritLin Hua Cheng proposed openstack/keystone: Remove parent_id in v2 tenant response  https://review.openstack.org/16436721:48
bknudsondolphm: henrynash: edmondsw: I think part of the issue is that when you enable multi-domains now you can't list all users with /v3/users anymore.21:49
bknudson/v3/users works without multi-domains, but as soon as it's enabled /v3/users breaks.21:49
edmondswexactly, bknudson21:51
*** sigmavirus24 is now known as sigmavirus24_awa21:51
nkinderedmondsw: for that to work, your user domain would have to be set as the "default_domain"21:54
nkinderedmondsw: which means services need to know how to auth using v3 (and specifying a domain)21:55
nkinderedmondsw: that's not 100% possible right now21:55
edmondswnkinder, or we fix this bug... it's the fact that that's no possible right now which turned me this direction21:55
nkinderedmondsw: your users would then have to use v2 to get a token too21:55
edmondswnkinder, that's not going to happen... users will be on v321:56
edmondswalready are, and I'm not sending them back to v221:56
nkinderedmondsw: are you referring to bug 1431015?21:56
openstackbug 1431015 in Keystone "v3/users or groups calls not working without domain_id" [Undecided,Invalid] https://launchpad.net/bugs/1431015 - Assigned to lilly (lilly-spandanabarukula)21:56
edmondswnkinder, yes21:56
nkinderedmondsw: so yes - the behavior is annoying21:58
nkinder...but, dolphm  is right about the security implications21:58
*** csoukup has quit IRC21:59
nkinderTo do a user list, we need to ensure that your user has the right role on the domain itself21:59
nkinderyou cant do that without a domain scoped token unless Keystone internally looks it up21:59
nkinderfor it to work, you would present a project-scoped (or unscoped) token, then Keystone would have to pull the domain out of it, fetch the roles you have on that domain, then attempt to perform the user list22:00
edmondswnkinder, yes... why can't we do that?22:00
nkinder...and, that effectively means you are taking a project scoped token and elevating it to be able to perform domain operations22:00
edmondswnkinder, no it doesn't22:01
nkinderso someone intercepting your project scoped token can now escalate to perform domain-restricted operations22:01
nkinderedmondsw: how so?22:01
edmondswnkinder, the token is already allowed to do this, as shown by just adding the domain_id query param... works fine22:01
nkinderno, it's not22:01
nkinderthat domain_id is serving a different purpose22:01
nkinderit serves to disambiguate your user name22:02
*** boris-42 has quit IRC22:02
nkinderedmondsw: ah, well that depends on your policy.json22:02
nkinderwhat is the policy for your user list operation in the policy that you are using?22:02
edmondswnkinder, ? the domain information for the user in the token should disambiguate the user name22:02
edmondswrole:admin or is_admin:122:03
nkinderok, so you are using policy that isn't really using domains (like policy.v3cloudsample)22:04
nkinderso that policy is saying that anyone with the admin role on anything (any project) is the cloud admin22:04
edmondswyes22:04
nkinder...not really ideal22:04
edmondswthat depends22:04
nkinderbut you are right that your user is allowed to perform the operation22:04
nkinderwith a project scoped token where they are the admin of the project.22:05
openstackgerritBrant Knudson proposed openstack/keystone: Cleanup tests don't keep engine  https://review.openstack.org/16434022:05
nkinderSo the problem with that policy in a multi-domain environment is this...22:05
nkindera project admin of a project in "domainA" can list users in "domainB"22:05
nkinder...which is why the policy.v3cloudsample has admin_and_matching_domain_id22:06
*** bknudson has quit IRC22:09
nkinderedmondsw: so, I suppose it would be OK to pull the domain_id out of the "user" section of the token if the query param was not provided22:09
nkinderedmondsw: it would leave the decision up to policy22:09
nkinderedmondsw: if you were using policy.v3cloudsample, you would be denied unless you had a domain-scoped token22:09
nkinderedmondsw: for your case, "admin" of anything would be allowed to list users in any domain though22:09
nkinder...but that is ultimately a policy decision22:10
nkinderdolphm: what do you think? ^^^22:11
nkinderdolphm: it's not really circumventing policy22:11
dolphm(i stepped away, still catching up)22:11
nkinderk22:11
*** jamielennox|away is now known as jamielennox22:12
*** Bsony has joined #openstack-keystone22:13
dolphmedmondsw: apologies for stepping away22:13
dolphmnkinder: agree 99% with what you said above, except i'm not sure what you mean by "your users would then have to use v2 to get a token too" (users can create tokens on the default domain in v3 - it's just like any other domain there)22:14
dolphmnkinder: edmondsw: and i think if keystone is going to have a fallback behavior, the only sane one i can think of is if your user.domain_id == project.domain_id then assume that domain_id22:14
nkinderdolphm: I meant that if they don't want to specify their domain when requesting a token, then they need to use v222:14
nkinderdolphm: I mistakenly thought that was one of edmondsw's goals22:14
henrynashlbragstad: so on https://bugs.launchpad.net/keystone/+bug/1415268, we only need these if https://review.openstack.org/#/c/137202/32 is going to merge for Kilo22:15
openstackLaunchpad bug 1415268 in Keystone "Testing of backend list_role_assignments needs to be improved" [Medium,In progress] - Assigned to Samuel de Medeiros Queiroz (samueldmq)22:15
dolphmnkinder: oh, i think clients should assume that if you're authenticating with v3 and you don't specify a domain, then the client should just assume domain_id='default' for everything22:15
*** stevemar has quit IRC22:15
dolphmthe assumption is that either all/most regular users are in the default domain, or it's just a single domain deployment, so it's a safe bet22:16
nkinderdolphm: ...except there is a problem with that22:16
dolphmand if it fails, then we just need decent error messages to say "hey, i couldn't find that project in this domain. maybe specify a different domain?"22:16
nkindermany people want service users in one domain, and "normal" users in another domain22:16
dolphmnkinder: right, the service users can be in the non-default domain22:16
nkinderif you want to allow v2 to still work for normal users, your normal user domain has to be the default22:16
dolphmagree22:17
nkinderyes, which means the services need to know how to use v3 properly (they don't)22:17
nkinderjamielennox has been working towards that, but some services don't use v3 well still AFAIK22:17
dolphmthat's an easier problem to solve though than teaching a bunch of users about the authorization complexity we support22:17
nkindertotally22:17
nkinderit's just not 100% solved yet22:18
*** Bsony has quit IRC22:18
dolphmnkinder: would you happen to have a recent pulse on which services don't support v3, etc? cc- jamielennox22:18
nkinderjamielennox has it all written down somewhere (and has a bunch of patches out)22:18
jamielennoxDolph pretty much anything that talks to swift or glance22:19
dolphmnkinder: that's actually what i'm planning on spending most of tomorrow on... i'd like to be able to deploy devstack without identity v2 deployed at all :)22:19
*** packet has quit IRC22:19
dolphmjamielennox: do you actually have a doc up somewhere?22:19
jamielennoxI have a trello board with some notes22:20
jamielennoxI'm currently in fedora boot hell and typing this on my phone though22:20
*** henrynash has quit IRC22:20
dolphmjamielennox: is it shareable?22:21
jamielennoxhttps://trello.com/b/5qivasNp/keystone-v3.22:21
jamielennoxI'm not sure if it's public, if you can't see it I'll change some settings22:22
dolphmjamielennox: i can see it, thanks!22:24
dolphmjamielennox: nova<->neutron is a big win :)22:24
jamielennoxdolphm: please add things you find aren't v3 aware22:25
dolphmjamielennox: will do22:25
nkinderdolphm: yeah, glad to hear you're going to be trying to get this working too!22:25
nkinderit will really help to make domains more usable22:25
dolphmjamielennox: i'll probably focus on nova/glance22:25
nkinderdolphm: I agree on your "user.domain_id == project.domain_id" statement above22:26
dolphmedmondsw: ^22:26
jamielennoxdolphm: I had been working on glanceclient to support session stuff, but it's very different to other clients and nobody is reviewing my stuff22:26
nkinderdolphm: in fact, I would find using the project_domain_id confusing as a fallback22:26
nkinderI would expect a user is trying to list other users in their own domain if they didn't specify a domain22:27
dolphmjamielennox: send me a list of reviews22:27
nkinderdolphm: I think they are in the trello cards22:27
nkinderoh, not the glanceclient ones22:28
dolphmnkinder: i was about to say, maybe i just can't see comments or something22:29
nkinderjamielennox: I didn't notice nova->neutron merged yesterday!22:29
nkinderdolphm: yeah, sorry about that22:29
dolphmno worries22:29
jamielennoxI've only been trying trello for a week or so, so not everything is in there22:31
*** diegows_ has joined #openstack-keystone22:33
*** amerine has quit IRC22:35
*** timcline has quit IRC22:36
*** tqtran_afk is now known as tqtran22:37
dolphmjamielennox: i was going to look through your open reviews to look for relevant changes -- would there be relevant reviews anywhere else? other authors, etc22:44
*** ccard__ has quit IRC22:46
*** ccard_ has joined #openstack-keystone22:47
jamielennoxSomeone else has had a go at ironic, which is good cause it was a bit of a mess22:47
*** gyee has joined #openstack-keystone22:48
*** ChanServ sets mode: +v gyee22:48
*** amerine has joined #openstack-keystone22:48
jamielennoxProbably the easiest thing to do is grep through projects looking for use of the keystone_authtoken admin_user. Anyone using that will be v2 only and needs to move off.22:49
*** ccard_ has quit IRC22:52
*** ccard_ has joined #openstack-keystone22:54
*** gordc has quit IRC22:58
openstackgerritMerged openstack/keystone: Implement Fernet tokens for v2.0 tokens  https://review.openstack.org/15922922:58
dolphm\o/ lbragstad morganfainberg22:59
openstackgerritMerged openstack/keystone: Use existing token test for Fernet tokens.  https://review.openstack.org/16434822:59
dolphmjorge_munoz: thank you, sir!22:59
openstackgerritMerged openstack/keystone: URL quote Fernet tokens  https://review.openstack.org/16527922:59
*** zzzeek has quit IRC22:59
*** henrynash has joined #openstack-keystone23:09
*** ChanServ sets mode: +v henrynash23:09
*** dims__ has joined #openstack-keystone23:29
*** boris-42 has joined #openstack-keystone23:30
*** dims_ has quit IRC23:33
*** diegows_ has quit IRC23:36
openstackgerritMerged openstack/keystone: Log when no external auth plugin registered  https://review.openstack.org/16443923:43
openstackgerritLin Hua Cheng proposed openstack/keystone: Remove parent_id in v2 token response  https://review.openstack.org/15686723:53
*** new has quit IRC23:53
openstackgerritLin Hua Cheng proposed openstack/keystone: Remove parent_id in v2 token response  https://review.openstack.org/15686723:55
openstackgerritLin Hua Cheng proposed openstack/keystone: Remove parent_id in v2 tenant response  https://review.openstack.org/16436723:56
« Tuesday, 2015-03-17 Index Thursday, 2015-03-19 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!