Friday, 2015-03-27

openstackgerrit	Merged openstack/keystone: Add caching to getting of the fully substituted domain config https://review.openstack.org/166018	00:00
*** markvoelker has quit IRC		00:02
*** Tahmina has quit IRC		00:03
*** bknudson has joined #openstack-keystone		00:04
*** ChanServ sets mode: +v bknudson		00:04
dstanek	morganfainberg: i'm game for whatever you need	00:18
morganfainberg	dstanek, you're already on the list	00:18
morganfainberg	dstanek, this is just a question of if you want to be on that list	00:19
morganfainberg	dstanek, this is the subset of keystonecore roped in for security bug review/patchreview/etc	00:19
morganfainberg	dstanek, when the VMT or PTL thinks it is appropriate to do so	00:19
dstanek	morganfainberg: i'm totally fine with that	00:19
bknudson	you will learn things you don't want to know about.	00:19
morganfainberg	dstanek, so its not that i need it, it is purely "are you interested on being on the for it"	00:19
morganfainberg	s/the for it/ the hook for it	00:20
morganfainberg	bknudson, you don't get an option for this :P >.>	00:20
morganfainberg	ok i'm off to grab dinner	00:22
gyee	dstanek, they have different uniforms for security people	00:24
*** gokrokve has quit IRC		00:24
bknudson	secret handshake	00:24
dstanek	gyee: if i have to wear a tie then count me out	00:24
gyee	heh	00:24
gyee	shit we don't send out a cadf for disabling a user?	00:25
gyee	wait, we do	00:26
lhcheng	gyee, looks like just an update user event	00:26
gyee	yeah looks like it	00:26
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Change auth_token to use keystoneclient https://review.openstack.org/144248	00:27
lhcheng	gyee is wearing his security hat now	00:27
gyee	physical security :)	00:32
lhcheng	audit security	00:32
lhcheng	:P	00:32
openstackgerrit	Lin Hua Cheng proposed openstack/keystone: Add routing for list_endpoint_groups_for_project https://review.openstack.org/167939	00:33
*** browne has quit IRC		00:37
* dstanek isn't following along in here too closely. He's working on his codereview tool.		00:37
bknudson	dstanek: to replace gerrit?	00:38
gyee	reviewbot?	00:38
gyee	based of fuzz AI?	00:38
dstanek	bknudson: to replace the web interface	00:38
bknudson	gertty?	00:38
dstanek	https://github.com/dstanek/vim-gertty	00:39
bknudson	vim... should be an eclipse plugin.	00:39
dstanek	haha	00:39
bknudson	now I've got my work cut out for me.	00:39
dstanek	what work is that?	00:39
bknudson	creating an eclipse plugin for gerrit	00:39
bknudson	it would be awesome.	00:40
bknudson	could have a whole openstack ide.	00:41
dstanek	you should totally do that	00:42
bknudson	integrated devstack	00:43
dstanek	if you do that i'll get devstack to run in vim	00:44
bknudson	that's unpossible...?	00:44
morganfainberg	dstanek: can I get it ported to emacs?	00:44
bknudson	just meta-x gerrty	00:44
morganfainberg	I'm asking for a friend.	00:44
morganfainberg	>.>	00:44
dstanek	morganfainberg: no	00:45
dstanek	i have trouble lisping	00:45
dstanek	viml is hard enough	00:45
bknudson	eclipse uses java	00:46
dstanek	bknudson: that's why i can't install it	00:46
gyee	just rewrite everything in go	00:46
gyee	wait, did someone already said that :)	00:46
dstanek	there is a rewrite of vim, but i don't think it's in go	00:47
bknudson	isn't vim a rewrite of vi?	00:48
dstanek	yep	00:48
*** sigmavirus24_awa is now known as sigmavirus24		00:48
*** tqtran_ has quit IRC		00:58
*** samueldmq has quit IRC		01:07
*** crinkle has quit IRC		01:11
*** crinkle has joined #openstack-keystone		01:15
bknudson	2015-03-26 20:15:18.254 CRITICAL keystone [-] DbMigrationError: None	01:15
bknudson	that's the error when I try to downgrade.	01:15
bknudson	with 167834	01:15
openstackgerrit	Merged openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/162355	01:21
*** dims_ has quit IRC		01:23
*** raildo has joined #openstack-keystone		01:24
*** crinkle has quit IRC		01:25
raildo	dstanek: ping... are you here?	01:27
openstackgerrit	Dave Chen proposed openstack/keystone: More content in the guide for core components' migration https://review.openstack.org/164188	01:27
*** samueldmq has joined #openstack-keystone		01:28
*** _cjones_ has quit IRC		01:30
*** _cjones_ has joined #openstack-keystone		01:31
*** browne has joined #openstack-keystone		01:31
*** _cjones_ has quit IRC		01:35
dstanek	raildo: sorta yes	01:46
raildo	just to know if you had read what I say about the bug :)	01:47
raildo	We found the bug, but we don't have a good solution for this	01:48
dstanek	raildo: do you have a link handy?	01:50
raildo	dstanek: I debug the sqlalchemy code, and see this: http://paste.openstack.org/raw/196942/	01:51
raildo	dstanek: in the teardown, they will load all tables but for group and user tables, the FK for domain_id still exists. So they try to load the Domain table id, but it's dropped.	01:52
*** dank_ has quit IRC		01:55
dstanek	raildo: why do you think it's a bug? that is actually the behavior i expect. this is probably worth bringing up to zzzeek tomorrow	01:55
dstanek	i think since sqlalchemy was loaded with that table and those foreign keys that when we try to reflect it tries to create them. i was hoping that there was some easy way to clear the cache and reload just what we care about	01:56
raildo	dstanek because we already remove this FK in this script: https://github.com/openstack/keystone/blob/master/keystone/common/sql/migrate_repo/versions/064_drop_user_and_group_fk.py	01:57
dstanek	raildo: but i don't know if that is supposed to delete it from the cache that reflection uses	01:57
dstanek	normally the data used in reflection is setup at import time	01:58
dstanek	morganfainberg: do you have any idea what's happening here? ^	01:58
raildo	dstanek: morganfainberg this script is related for this bug: https://bugs.launchpad.net/keystone/+bug/1417451	02:00
openstack	Launchpad bug 1417451 in Keystone "SQL User & Group entities still have FK to domain" [Medium,Fix released] - Assigned to Steve Martinelli (stevemar)	02:00
raildo	but the FK still exist for sqlite database...	02:00
bknudson	sqlite doesn't support fks as far as I know	02:01
dstanek	bknudson: sqlalchemy thinks it should be there based on the model and looks for a table that doesn't exist	02:02
raildo	bknudson: I think that doesn't support constraints, but I'm not sure	02:02
bknudson	not worth it working around sqlite errors. it's not production	02:02
dstanek	it's not sqlite it related to testing migrations	02:03
bknudson	it also happens on mysql?	02:03
raildo	bknudson: so I can put a put a if "if not sqlite drop the table"	02:03
bknudson	works for me	02:03
raildo	bknudson: I had tried in the mysql and the script works good	02:03
openstackgerrit	Merged openstack/keystone: Exposes bug when getting hierarchy on Project API https://review.openstack.org/167230	02:03
openstackgerrit	Merged openstack/keystone: Fixes bug when getting hierarchy on Project API https://review.openstack.org/167231	02:04
openstackgerrit	Merged openstack/keystone: Refactor _create_projects_hierarchy in tests https://review.openstack.org/167991	02:04
openstackgerrit	Merged openstack/keystone: Refactor code supporting status in JSON Home https://review.openstack.org/165075	02:04
dstanek	raildo: you don't get the error on mysql and the table is dropped?	02:04
raildo	dstanek: nope, because in the mysql this FK doesn't exists	02:05
raildo	so I can drop the table	02:05
dstanek	i wonder why sqlalchemy is confused	02:06
raildo	dstanek: yes... it's weird, and the problem is, in the future, if somebody want drop other table that contain a FK for other table, the problem will happen again	02:08
dstanek	raildo: that's why i'd like to find the root cause	02:09
dstanek	i'll take a look a little later	02:09
*** erkules_ has joined #openstack-keystone		02:10
raildo	dstanek: I'll investigate more later, but the problem happen here: https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_sql_upgrade.py#L176	02:11
*** lhcheng has quit IRC		02:12
*** erkules has quit IRC		02:12
raildo	I don't know if this a sqlalchemy problem, or a bug in keystone due sqlite	02:12
openstackgerrit	wanghong proposed openstack/keystone: remove assignments when deleting a domain https://review.openstack.org/127433	02:12
*** nkinder has joined #openstack-keystone		02:13
*** sigmavirus24 is now known as sigmavirus24_awa		02:14
openstackgerrit	Brant Knudson proposed openstack/keystone: Entrypoints for commands https://review.openstack.org/131435	02:16
openstackgerrit	Merged openstack/keystone: Remove SQL Downgrades https://review.openstack.org/167834	02:28
openstackgerrit	Merged openstack/python-keystoneclient: Replace assertRaisesRegexp with assertRaisesRegex https://review.openstack.org/168125	02:29
*** crinkle has joined #openstack-keystone		02:29
raildo	i was just thinking here, why we use sqlite in the keystone tests?	02:37
wanghong	raildo, we want to run tests faster	02:48
*** gyee has quit IRC		02:50
raildo	wanghong: hum... that is a good argument :) thanks	02:51
wanghong	:P	02:52
ayoung	nkinder, OK...I'm getting closer. I have the following error:	02:53
ayoung	{"error": {"message": "Could not find Identity Provider: https://ipa.cloudlab.freeipa.org/idp/saml2/metadata", "code": 404, "title": "Not Found"}}	02:53
ayoung	and that makes sense. If I fetch the file https://ipa.cloudlab.freeipa.org/idp/saml2/metadata	02:53
ayoung	and look at the entityId value (which is the rmote_id atribute)	02:54
ayoung	it says: entityID="https://ipa.cloudlab.freeipa.org/idp/saml2	02:54
*** devlaps has quit IRC		02:54
* ayoung needs stevemar to get this clear...or someone else that knows SAML and Keystone		02:55
nkinder	ayoung: what did you set as the remote_id when you created the IdP in keystone?	02:56
ayoung	nkinder, used the values from your scriopts...here they are:	02:56
ayoung	> select * from identity_provider;	02:57
ayoung	+---------+---------+-------------+-----------+	02:57
ayoung	\| id \| enabled \| description \| remote_id \|	02:57
ayoung	+---------+---------+-------------+-----------+	02:57
ayoung	\| ipsilon \| 1 \| NULL \| NULL \|	02:57
ayoung	+---------+---------+-------------+-----------+	02:57
ayoung	that is the databse (happend to be in there now)	02:57
nkinder	ayoung: uh, you missed a step to set the remote_id	02:57
nkinder	ayoung: you have to use curl	02:57
nkinder	no support in OSC yet (though there is a patch for it)	02:57
ayoung	https://github.com/nkinder/rdo-vm-factory/blob/master/rdo-federation-setup/vm-post-cloud-init-rdo.sh#L237	02:58
nkinder	ayoung: yep, that's it	02:58
nkinder	ayoung: set it to the value that will be in MELLON_IDP	02:59
ayoung	nkinder, so the URL?	02:59
nkinder	ayoung: that should be "https://$IPA_FQDN/idp/saml2/metadata"	02:59
*** raildo has quit IRC		02:59
ayoung	entityID="https://ipa.cloudlab.freeipa.org/idp/saml2/metadata"	02:59
nkinder	ayoung: you can turn on debug level in Keystone, and it will print out the env variables from the assertion if you wanted to see what MELLON_IDP is	03:00
nkinder	but the above looks right	03:00
openstackgerrit	wanghong proposed openstack/keystone: add test of /v3/auth/catalog for endpoint_filter https://review.openstack.org/168210	03:02
ayoung	curl -si -X PATCH -H "X-Auth-Token:secrete" -H "Content-type: application/json" http://$HOSTNAME:5000/v3/OS-FEDERATION/identity_providers/ipsilon -d '{"identity_provider": {"remote_id": "https://ipa.cloudlab.freeipa.org/idp/saml2/metadata"}'	03:02
ayoung	OK let's try again	03:02
ayoung	nkinder, curl didn't set it.	03:03
nkinder	ayoung: really?	03:03
ayoung	heh, so I stuck it in qith sql	03:04
nkinder	ewww	03:04
ayoung	{"error": {"message": "An unexpected error prevented the server from fulfilling your request: [Errno 2] No such file or directory: '/etc/keystone/sso_callback_template.html' (Disable debug mode to suppress these details.)", "code": 500, "title": "Internal Server Error"}}	03:04
ayoung	goot!	03:04
nkinder	yeah, you missed that step too!	03:04
ayoung	well, I wanted to see what we had from upstream	03:04
nkinder	almost there...	03:04
ayoung	so this is OK	03:04
nkinder	ayoung: I hit this error when I first set it up too	03:05
nkinder	copy it from the source tree	03:05
nkinder	no modifications needed	03:05
ayoung	nkinder, do we have the patch submitted for OSC setting remote_id?	03:05
nkinder	ayoung: I have one out for review, but there is another one for the "remote_ids" change that was approved for FFE	03:05
nkinder	ayoung: let me get links...	03:06
ayoung	for OS client or for Keystone server?	03:06
ayoung	thanks	03:06
nkinder	ayoung: https://review.openstack.org/#/c/166087/	03:06
nkinder	the "remote_ids" one is keystone server and another for OSC	03:06
nkinder	ayoung: OSC remote_ids = https://review.openstack.org/#/c/161302/	03:07
ayoung	ugh...devstack does not set up the clients by default	03:07
ayoung	pip...	03:07
nkinder	ayoung: keystone remote_ids = https://review.openstack.org/#/c/152156/	03:07
*** lhcheng has joined #openstack-keystone		03:08
ayoung	nkinder, and success...of sorts	03:08
ayoung	Forbidden (403)	03:09
ayoung	CSRF verification failed. Request aborte	03:09
ayoung	from Horizon.	03:09
nkinder	ayoung: your curl command above was missing a }	03:09
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Expose audit_id via AccessInfo https://review.openstack.org/168212	03:09
ayoung	should have errored out.	03:09
nkinder	ayoung: if you log things in the browser, you should see that you get a token and the javascript with the form submit	03:10
nkinder	ayoung: what did you pass as the "origin" query param?	03:11
ayoung	nkinder, the root URL for Horizon	03:11
ayoung	http://federate.cloudlab.freeipa.org:5000/v3/auth/OS-FEDERATION/websso/saml2?origin=http://federate.cloudlab.freeipa.org	03:11
ayoung	I didn't configure Horizon at all yet	03:12
ayoung	so this is OK	03:12
nkinder	ayoung: ok. I didn't get a 403 with horizon. I just got the normal login page.	03:12
nkinder	...doing no config or anything, but you are on a newer horizon	03:12
ayoung	you probably passe /login or what not...let me see	03:12
nkinder	no, I didn't.	03:12
nkinder	I just used the root URL too	03:13
ayoung	{"error": {"message": "http://federate.cloudlab.freeipa.org/auth/login/?next=/ is not a trusted	03:13
ayoung	let's see what happens when I change that...	03:13
nkinder	ok, you need to set trusted_dashboard in keystone.conf	03:13
nkinder	it has to match the origin	03:14
ayoung	CSRF verification failed. Request aborted.	03:14
ayoung	I think because Horizon is not doing the origianal redirect	03:15
nkinder	ayoung: it's supposed to be auth/websso/	03:15
lhcheng	ayoung, are you guys trying the websso setup for horizon/keystone?	03:15
nkinder	look for trusted_dashboard in here - https://review.openstack.org/#/c/164012/9/doc/source/extensions/websso.rst	03:15
nkinder	lhcheng: yes	03:15
lhcheng	the trusted_dashboard must be the full path	03:15
ayoung	lhcheng, yeah, with the ipsilon provider we've been working on	03:15
lhcheng	not just the http://<host>	03:16
nkinder	lhcheng: so http://host/websso/auth ?	03:16
nkinder	or auth/websso I mean	03:16
lhcheng	ayoung, I've set this up for oidc few weeks ago	03:16
lhcheng	incude ../auth/websso/	03:16
lhcheng	so http://host/auth/websso/	03:17
nkinder	lhcheng: which patches are needed for horizon/doa? There are two different patches out there.	03:18
nkinder	There's this one - https://review.openstack.org/#/c/151842/	03:18
nkinder	...and this one - https://review.openstack.org/#/c/136178/	03:18
lhcheng	nkinder: both	03:18
ayoung	Page not found	03:18
nkinder	ok	03:18
ayoung	applying now	03:19
ayoung	Gah ...need to do the whoe DOA setup first	03:19
nkinder	lhcheng: is there any hope of those making it in for Kilo?	03:19
ayoung	OK...tale for another day	03:19
ayoung	DOA is not on the Horizon release schedule, so yes	03:20
ayoung	DOA goes out when it is ready	03:20
nkinder	yeah, I know DOA is less of an issue	03:20
lhcheng	nkinder: it got an FFE, I am currently porting the DOA patch to use the plugin model that was recently added	03:20
nkinder	lhcheng: cool, the stuff jamielennox did, right?	03:20
lhcheng	there are still bugs on the code too, when I tested the patch, I could not switch between projects on the UI	03:20
lhcheng	nkinder: yes	03:21
lhcheng	the existing patch is missing the logic to use federation.projects.list() for listing user's project	03:22
jamielennox	lhcheng: i had a patch for that ....	03:23
lhcheng	jamielennox: to update this https://review.openstack.org/#/c/136178/ ?	03:23
jamielennox	i think it was combined with another one, it was pretty simple just put a get_projects on the plugin base with that as the default implementation	03:23
jamielennox	i haven't got the websso stuff updated yet	03:24
jamielennox	i was planning that for today but got pulled into a security fix for middleware	03:24
lhcheng	cool, I haven't got to that part yet.	03:26
lhcheng	I assume you have it in DOA-kerberos	03:26
lhcheng	jamielennox: I can look it up there	03:26
jamielennox	lhcheng: no, because you don't need it for kerberos, it uses the standard project listing	03:26
ayoung	lhcheng, how do I get : http://federate.cloudlab.freeipa.org/auth/websso ? That does not reaquire the DOA patch too, right?	03:27
jamielennox	https://review.openstack.org/#/c/164071/1/openstack_auth/base.py line 267, but it's pretty simple to do yourself then web sso can just override the function	03:27
ayoung	I mean, it won;t work, but it will be there...	03:27
lhcheng	ayoung, you need the DOA patch for that. The path "auth/websso/" routes to a DOA code	03:29
ayoung	ok	03:29
lhcheng	the DOA code accept the token from the form submitted by keystone	03:29
ayoung	lhcheng, so Horizon won't even have the path?	03:30
jamielennox	lhcheng: if you get a minute, really simple one: https://review.openstack.org/#/c/167402/	03:30
jamielennox	but DOA-kerberos relies on that for now	03:30
lhcheng	ayoung: when horizon starts up, it loads all url pattern from horizon + DOA	03:30
jamielennox	i think we should consider django_openstack_auth.utils private to DOA	03:31
lhcheng	ayoung, the CSRF issue you had should be fixed by line:131 in https://review.openstack.org/#/c/136178/21/openstack_auth/views.py	03:34
ayoung	cool	03:34
lhcheng	ayoung: I'm not sure which version of DOA patch were you testing awhile ago.	03:34
ayoung	lhcheng, I had my own that was doing unspeakable thiungs with Kerberos....jamie took it and cleaned it up	03:35
lhcheng	jamielennox: I agree, we should only make public the bare minimum for DOA to support the django authentication. The patch looks good to me.	03:36
openstackgerrit	wanghong proposed openstack/keystone: make response of endpoint_group API contain full url https://review.openstack.org/151863	03:37
*** rushiagr_away is now known as rushiagr		03:46
*** _cjones_ has joined #openstack-keystone		03:48
*** _cjones_ has quit IRC		03:49
*** samueldmq has quit IRC		03:55
*** _cjones_ has joined #openstack-keystone		03:58
*** _cjones_ has quit IRC		04:02
*** _cjones_ has joined #openstack-keystone		04:02
*** stevemar has joined #openstack-keystone		04:08
*** ChanServ sets mode: +v stevemar		04:08
*** lhcheng is now known as lhcheng_afk		04:18
*** lhcheng_afk has quit IRC		04:21
*** gokrokve has joined #openstack-keystone		04:27
*** gokrokve has quit IRC		04:32
*** stevemar2 has joined #openstack-keystone		04:32
*** ChanServ sets mode: +v stevemar2		04:32
*** gokrokve has joined #openstack-keystone		04:32
*** _cjones_ has quit IRC		04:33
*** stevemar has quit IRC		04:35
*** gokrokve has quit IRC		04:39
*** markvoelker has joined #openstack-keystone		04:39
*** junhongl has quit IRC		04:41
*** markvoelker has quit IRC		04:43
*** junhongl has joined #openstack-keystone		04:53
*** stevemar2 is now known as stevemar		04:53
*** rushiagr is now known as rushiagr_away		05:04
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Expose audit_id via AccessInfo https://review.openstack.org/168212	05:13
*** lhcheng_afk has joined #openstack-keystone		05:22
*** lhcheng_afk has quit IRC		05:26
*** amakarov_away has quit IRC		05:38
*** amakarov_away has joined #openstack-keystone		05:38
*** markvoelker has joined #openstack-keystone		05:39
*** jamielennox is now known as jamielennox\|away		05:41
*** markvoelker has quit IRC		05:43
*** dims has joined #openstack-keystone		05:46
*** ajayaa has joined #openstack-keystone		05:46
stevemar	jamielennox\|away, ++ to your comment on oslo.config	05:52
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex https://review.openstack.org/168231	06:08
*** rushiagr_away is now known as rushiagr		06:09
*** dims has quit IRC		06:21
openstackgerrit	Steve Martinelli proposed openstack/keystone: IdP ID registration and validation https://review.openstack.org/152156	06:25
*** afazekas is now known as __afazekas		06:28
*** ishant has joined #openstack-keystone		06:36
openstackgerrit	Steve Martinelli proposed openstack/keystone: Change the way values are migrated for 007_add_remote_id_table https://review.openstack.org/168239	06:39
*** markvoelker has joined #openstack-keystone		06:40
*** markvoelker has quit IRC		06:44
openstackgerrit	Steve Martinelli proposed openstack/keystone: Remove unnecessary import that was not checked https://review.openstack.org/168241	06:47
openstackgerrit	Steve Martinelli proposed openstack/keystone: Remove empty request bodies https://review.openstack.org/168244	06:55
*** lhcheng_afk has joined #openstack-keystone		07:11
*** afazekas has joined #openstack-keystone		07:13
*** lhcheng_afk has quit IRC		07:15
*** chlong has quit IRC		07:16
*** browne has quit IRC		07:30
openstackgerrit	Steve Martinelli proposed openstack/keystone: Add relay_state_prefix to Service Provider https://review.openstack.org/166078	07:39
openstackgerrit	Steve Martinelli proposed openstack/keystone: Add API to create ecp wrapped saml assertion https://review.openstack.org/162866	07:39
*** markvoelker has joined #openstack-keystone		07:40
openstackgerrit	Steve Martinelli proposed openstack/keystone: Add API to create ecp wrapped saml assertion https://review.openstack.org/162866	07:42
*** markvoelker has quit IRC		07:45
openstackgerrit	Steve Martinelli proposed openstack/keystone: Add relay_state_prefix to Service Provider https://review.openstack.org/166078	07:52
openstackgerrit	Steve Martinelli proposed openstack/keystone: Add API to create ecp wrapped saml assertion https://review.openstack.org/162866	07:54
*** jaosorior has joined #openstack-keystone		07:54
*** stevemar has quit IRC		07:59
openstackgerrit	Merged openstack/keystone: Imported Translations from Transifex https://review.openstack.org/168231	08:03
*** ajayaa has quit IRC		08:08
*** haneef_ has quit IRC		08:08
*** ajayaa has joined #openstack-keystone		08:08
*** haneef_ has joined #openstack-keystone		08:11
*** erkules_ is now known as erkules		08:11
*** erkules has joined #openstack-keystone		08:11
*** browne has joined #openstack-keystone		08:14
*** arunkant has quit IRC		08:24
*** arunkant has joined #openstack-keystone		08:26
*** jistr has joined #openstack-keystone		08:40
*** browne has quit IRC		08:41
*** markvoelker has joined #openstack-keystone		08:41
*** markvoelker has quit IRC		08:46
*** henrynash has joined #openstack-keystone		08:50
*** ChanServ sets mode: +v henrynash		08:50
*** pnavarro has joined #openstack-keystone		08:54
*** lhcheng_afk has joined #openstack-keystone		09:07
*** pnavarro is now known as pnavarro\|off		09:20
*** henrynash has quit IRC		09:38
*** markvoelker has joined #openstack-keystone		09:42
*** krykowski has joined #openstack-keystone		09:43
*** markvoelker has quit IRC		09:46
*** dims_ has joined #openstack-keystone		09:51
*** kodoku has joined #openstack-keystone		09:55
kodoku	Hi, I try to enable SSL in keystone. keystone client with --insecure works but if I GET on REST API, server doesn't respond. (on port 5000). Any ideas ?	09:56
*** henrynash has joined #openstack-keystone		09:56
*** ChanServ sets mode: +v henrynash		09:56
marekd	kodoku: one idea - try checking what log says :-)	09:58
openstackgerrit	Victor Sergeyev proposed openstack/keystone: Fix for migration 062 on MySQL https://review.openstack.org/168003	09:58
kodoku	marekd When I get on API, no logs in keystone.log	09:59
marekd	kodoku: some other apache logs?	09:59
kodoku	hum I'll see	09:59
marekd	kodoku: ssl related maybe?	09:59
marekd	i suggest tail -f /var/log/apache2/keystone (or whatever patch is) and you will have live streaming of logs from apache.	10:00
marekd	tail -f /var/log/apache2/keystone/*	10:00
marekd	i meant	10:00
kodoku	I'am on Rhel	10:00
kodoku	So I don't have any keystone log in my apache logs	10:01
kodoku	and access or error log have nothing	10:01
marekd	kodoku: are you running keystone + apache ?	10:01
kodoku	like my serveur doesn't listen https :/	10:02
kodoku	no	10:02
marekd	ah, eventlet.	10:02
kodoku	apache is on other node	10:03
marekd	so that's why apache does have nothing	10:03
kodoku	keystone need apache ?	10:04
marekd	it's recommended way to run keystone	10:04
marekd	but it can also run on eventlet, as a standalone instance	10:04
marekd	try /var/log/keystone/keystone.log	10:05
marekd	or find for a file keystone.log	10:05
kodoku	ok, I was frezze my horizon on this node so apache doesn't start. I'll remove horizon and start apache	10:05
*** davidckennedy has joined #openstack-keystone		10:12
kodoku	marekd apache is start but always no reponse	10:22
kodoku	and 0 logs	10:22
marekd	kodoku: but do you know HOW you are running keystone?	10:23
marekd	Is it on top of Apache?	10:23
marekd	in case of Apache Keystone is ran via WSGI	10:23
marekd	so check if you have Apache vhosts configured.	10:24
marekd	or simply do ss -lntp \| grep keystone and see what process runs keystone	10:24
marekd	is it apache?	10:24
kodoku	LISTEN 0 128 :35357 :* users:(("keystone-all",2300,7),("keystone-all",2299,7),("keystone-all",2298,7),("keystone-all",2297,7),("keystone-all",2296,7),("keystone-all",2295,7),("keystone-all",2294,7),("keystone-all",2293,7),("keystone-all",2286,7)) LISTEN 0 128 :5000 :* users:(("keystone-all",2300,8),("keystone-a	10:24
*** lhcheng_afk has quit IRC		10:25
marekd	so its probably not apache	10:25
kodoku	yes	10:25
marekd	so no need to run aache..	10:25
kodoku	ok :)	10:25
marekd	find the log file.	10:25
marekd	do you know command find ?	10:26
kodoku	yes	10:26
marekd	i'd go with:	10:26
marekd	# find /var/log -name keystone.log	10:26
kodoku	in keystone.log I have no logs when I request API	10:26
marekd	and what exactly you mean by "request API" ?	10:26
kodoku	With API client I make a GET request on https://MYIP:5000/	10:27
kodoku	like a curl	10:27
marekd	maybe firewall?	10:27
kodoku	It was disable	10:28
marekd	i mena, if the connection is no rejected, closed, nothing is returned something is making it stall...	10:28
kodoku	and Before change http to https, connection works	10:28
marekd	so, it looks like there is misconfiguration with ssl.	10:28
kodoku	-A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment "001 keystone incoming keystone" -j ACCEPT	10:28
marekd	like, missing certificates ?	10:28
kodoku	When I make keystone --insecure user-list works	10:29
marekd	and when it's keystone user-list it doesn't right?	10:29
kodoku	yes :/	10:29
marekd	so try with keystone --debug --verbose user-list	10:29
marekd	you should get some info.	10:29
kodoku	Authorization Failed: SSL exception connecting to https://10.121.141.35:5000/v2.0/tokens	10:29
marekd	you can try enablig debuggin in your keystone.	10:30
marekd	on rdo it's...i think somewhere in /usr/share ?	10:30
marekd	anyway, find is your riend!	10:31
marekd	friend!	10:31
marekd	look for keystone.conf	10:31
*** kodokuu has joined #openstack-keystone		10:33
kodokuu	sorry my proxy bug	10:33
kodokuu	I'am stoped to debug mode	10:33
kodokuu	When I use --insecure DEBUG:urllib3.connectionpool:"GET /v2.0/users HTTP/1.1" 200 1256 So httpsdoesn't works	10:34
*** kodoku has quit IRC		10:34
kodokuu	So you have tutorial for enable SSL with the generation of certif	10:38
kodokuu	Do*	10:38
marekd	i'd google for "create ssl certificates"	10:39
kodokuu	in /etc/keystone/ssl/certs/ I have 01.pem ca.pem index.txt index.txt.attr index.txt.old openssl.conf req.pem serial serial.old signing_cert.pem	10:41
kodokuu	Do I need to generate or I can use there certif	10:41
*** markvoelker has joined #openstack-keystone		10:43
*** henrynash has quit IRC		10:43
*** markvoelker has quit IRC		10:48
*** amakarov_away is now known as amakarov		10:49
*** kodokuu has quit IRC		11:34
*** marekd has quit IRC		11:39
*** markvoelker has joined #openstack-keystone		11:43
*** markvoelker has quit IRC		11:48
*** samueldmq-away is now known as samueldmq		11:52
openstackgerrit	Victor Sergeyev proposed openstack/keystone: Migrate_repo init version helper https://review.openstack.org/137640	12:04
openstackgerrit	Victor Sergeyev proposed openstack/keystone: Share engine between migration helpers. https://review.openstack.org/137778	12:04
openstackgerrit	Victor Sergeyev proposed openstack/keystone: Use metadata.create_all() to fill a test database https://review.openstack.org/93558	12:04
openstackgerrit	Victor Sergeyev proposed openstack/keystone: Add index to the revocation_event.revoked_at. https://review.openstack.org/137639	12:04
openstackgerrit	Victor Sergeyev proposed openstack/keystone: Comparision of database models and migrations. https://review.openstack.org/80630	12:04
openstackgerrit	Victor Sergeyev proposed openstack/keystone: Fix index name the assignment.actor_id table. https://review.openstack.org/137637	12:04
openstackgerrit	Victor Sergeyev proposed openstack/keystone: Fix index name the assignment.actor_id table. https://review.openstack.org/137637	12:06
*** raildo\|away is now known as raildo		12:08
htruta	bknudson: could you take a 30 seconds look at https://review.openstack.org/#/c/116081/ ?	12:15
*** markvoelker has joined #openstack-keystone		12:18
*** rushiagr is now known as rushiagr_away		12:23
*** gordc has joined #openstack-keystone		12:35
*** bknudson has quit IRC		12:40
*** davechen has joined #openstack-keystone		12:49
*** sigmavirus24_awa is now known as sigmavirus24		12:57
*** bknudson has joined #openstack-keystone		13:01
*** ChanServ sets mode: +v bknudson		13:01
dstanek	so what is the rule about changing existing migrations? when is it OK and when is it a no-no?	13:05
*** kodoku has joined #openstack-keystone		13:10
*** rushiagr_away is now known as rushiagr		13:10
kodoku	Hi. When I restart keystone I have this : DEBUG keystone.notifications [-] Callback: `keystone.token.provider.Manager._delete_...... This is normal ?	13:11
dstanek	kodoku: do you have debug logging on? if so you will see lots and lots of messages	13:12
kodoku	dstanek Yes I have debug mode	13:12
dstanek	kodoku: then it's normal to see the debug messages	13:12
kodoku	dstanek http://pastebin.com/Eu9Zurgh	13:15
kodoku	Maybe you can help me now :)	13:15
dstanek	what happens when you curl that url?	13:17
kodoku	what url ?	13:17
dstanek	https://juno001.fr:35357/v2.0/	13:18
dstanek	i assume you are having connectivity issues base on the 'SSL exception ...' message	13:18
kodoku	with -k ?	13:19
dstanek	either way	13:19
kodoku	http://pastebin.com/DXYXzaVD	13:20
dstanek	what is that ip address in the original paste?	13:21
kodoku	this is IP of juno001.fr	13:21
dstanek	you could try adding --insecure to the keystone command	13:22
kodoku	dstanek http://pastebin.com/ncQEDdHD	13:24
dstanek	kodoku: that's what you expected, right?	13:26
kodoku	yes but I see ""GET /v2.0/users HTTP/1.1" 200 1256"	13:27
kodoku	So this message is in HTTP	13:27
dstanek	i don't think that means anything	13:28
kodoku	ok	13:28
dstanek	it's using the HTTP/1.1 protocol - there is no HTTPS/1.1	13:29
kodoku	So I need to add the CA in my compute to get response of keystone	13:30
dstanek	have you tried to use the openstack client? i don't know is ksc has support for OS_CACERT	13:31
*** ishant has quit IRC		13:31
*** kodokuu has joined #openstack-keystone		13:31
*** jaosorior has quit IRC		13:32
kodokuu	stanek Ok works :) If I enable https, http doesn't works ? I need to change all conf of nova, cinder ....	13:34
*** kodoku has quit IRC		13:34
kodokuu	dstanek Ok works :) If I enable https, http doesn't works ? I need to change all conf of nova, cinder ...	13:36
dstanek	most likely that is true. you for sure can't run http and https on the same ports	13:37
*** henrynash has joined #openstack-keystone		13:38
*** ChanServ sets mode: +v henrynash		13:38
*** ljfisher has joined #openstack-keystone		13:43
kodokuu	dstanek ok so I change neutron and nova auth. When "nova list" neutron error : ERROR keystonemiddleware.auth_token [-] HTTP connection exception: Unable to establish connection to https://10.121.141.35:35357/	13:43
kodokuu	hum maybe i need to change IP by CN	13:48
*** dims_ is now known as dimsum__		13:49
*** f13o has joined #openstack-keystone		13:50
ayoung	dstanek, I want to pull some changes from DJango-openstack-auth in to a devstack deployment, which means cloning the repo and using setup.py. What is the right majik to do this, so that I can use a repo owned as a non-root user ?	13:53
ayoung	I spent a long time getting this set up, and would rather not trash the system	13:53
*** ljfisher has quit IRC		13:54
breton	dstanek: I think they are OK when they were not released yet	13:54
breton	dstanek: if a migration is in stable, it cannot be changed	13:55
dstanek	ayoung: if you cloned the repo i think you will just have to 'python setup.py develop' to get it installed	13:55
dstanek	breton: so we don't care about people tracking master?	13:55
ayoung	dstanek, as root or as me	13:55
ayoung	I guess as root	13:55
dstanek	ayoung: yeah, for devstack i think you'll have to do root	13:56
breton	dstanek: well, we are not on rolling release	13:56
breton	but let's wait for somebody who has a definite answer	13:56
kodokuu	dstanek : http://pastebin.com/XMpQEhyt	13:57
*** r-daneel has joined #openstack-keystone		13:58
dstanek	kodokuu: can you curl the keystone url from where nova is running?	13:58
dstanek	are you setting the cacert or insecure option there too?	13:59
ajayaa	dolphm, ayoung, dstanek, morganfainberg, stevemar Here is a demo of Keystone running with NoSql backend, http://ajayaa.github.io/distributed-db.html. (POC for https://review.openstack.org/#/c/148521/)	13:59
dstanek	ajayaa: that's neat. what db did you use?	14:01
*** dimsum__ has quit IRC		14:01
ajayaa	dstanek, MagnetoDB.	14:01
ajayaa	We are evaluating Cassandra as well.	14:02
*** kodokuu has quit IRC		14:02
*** dimsum__ has joined #openstack-keystone		14:02
dstanek	nice, i'm not familiar with that one.	14:02
ajayaa	It provides dynamodb like api on top of Cassandra.	14:02
ajayaa	It's not an official project yet but falls under Openstack umbrella.	14:02
ajayaa	It's a stackforge project as of now.	14:03
*** kodoku has joined #openstack-keystone		14:03
dstanek	ajayaa: do you have a link?	14:03
kodoku	ok I don't find option for insecure in neutron.conf	14:03
ajayaa	http://magnetodb.readthedocs.org/en/latest/	14:04
kodoku	and nova is on the same host	14:04
ajayaa	https://github.com/stackforge/magnetodb	14:04
dstanek	ajayaa: thanks i'll have to read up on that this weekend	14:05
ajayaa	dstanek, We are writing a Cassandra backend and would compare with MagnetoDB backend on the basis of schema and code cleanliness.	14:05
ajayaa	dstanek, my pleasure.	14:05
ajayaa	dstanek, just wanted everyone to show a small demo! I hope it's okay.	14:06
ayoung	ajayaa, it needs a soundtrack	14:07
*** mattfarina has joined #openstack-keystone		14:07
ayoung	dstanek, Cassandra was where Termie was origianlly headed with Keystone.	14:08
htruta	dstanek: hey! I agree with your comment here: https://review.openstack.org/#/c/116081/12 maybe we can consider this refactoring in a short future.	14:08
ajayaa	ayoung, you only get what you pay for. ;)	14:08
*** _cjones_ has joined #openstack-keystone		14:08
morganfainberg	ajayaa: nice!	14:08
ayoung	ajayaa, More correct to say but you pay for what you get	14:08
*** samueldmq is now known as samueldmq-away		14:08
dstanek	cassandra is very nice. i wonder about deployers though since they seem like a conservative bunch	14:08
ajayaa	ayoung, :)	14:09
ajayaa	Thanks guys. We are working with glance now to have a NoSql backend for it.	14:10
ayoung	https://review.openstack.org/#/c/167402/ W000000T!	14:10
ajayaa	And the final target would be Nova. :)	14:10
ayoung	We have movement on a DOA patch finally!	14:10
ayoung	Even if it is trivial	14:10
*** trey has quit IRC		14:11
*** _cjones_ has quit IRC		14:11
*** trey has joined #openstack-keystone		14:12
ajayaa	dstanek, I think Cassandra is a mature technology today but agree that not as mature as MySql or MariaDB.	14:13
*** gokrokve has joined #openstack-keystone		14:13
kodoku	dstanek I don't find any option for insecure connection for https in neutron. I search in official docs and nothing :/	14:14
dstanek	ajayaa: i think it's mature enough, but in general it seems like deployers are really conservative	14:14
kodoku	I think neutron curl without -k :/	14:14
ajayaa	dstanek, agree. People who want a massively scalable cloud would also want a db which would scale. I think they are the one who would be interested in this.	14:15
ajayaa	Also, Cassandra backend would be a fault tolerant.	14:15
ayoung	nkinder, I'm closer on WebSSO. Now I get a valid redirect back to Horizion but get:	14:16
ajayaa	It wouldn't an issue if a node goes down at 3 am in the night. Keystone would run just fine.	14:16
ayoung	AttributeError at /auth/websso/	14:16
ayoung	'NoneType' object has no attribute 'token'	14:16
ayoung	I'm wondering if I need to update KC or something	14:16
ajayaa	dstanek, I would love to have deployer's/op's feedback on this though.	14:17
*** zzzeek has joined #openstack-keystone		14:19
morganfainberg	ayoung: I've seen that before. But can't remember where b	14:20
dstanek	morganfainberg: did you see my question from earlier about migrations?	14:21
morganfainberg	dstanek: nope. Just woke up.	14:22
morganfainberg	(Yes I actually sleep sometimes)	14:22
*** timcline has joined #openstack-keystone		14:22
dstanek	morganfainberg: i forgot that it's super early there. no pressure. we can chat later about it.	14:22
morganfainberg	Nah all good. What's up?	14:23
morganfainberg	Gotta wait an hour before going for coffee/breakfast.	14:23
*** gokrokve has quit IRC		14:23
dstanek	is there a guideline for when/if it's OK to change an existing migration? are migrations that are new in the release fair game to change?	14:24
*** gokrokve has joined #openstack-keystone		14:24
morganfainberg	The guideline is (from my perspective). If the change to the migration doesn't change functionality or resulting db/schema/data you can do it.	14:25
morganfainberg	Otherwise any changes need an idempotent follow up to do the same thing even in the same Dev cycle.	14:25
morganfainberg	This is because some deployers run close to master	14:26
morganfainberg	And changing the result of a migration means they'd have inconsistent dbs from what we expect.	14:26
dstanek	that's what i was worried about. how much we care about that.	14:26
dstanek	there are lots of examples, but the one i found this morning was https://review.openstack.org/#/c/168003/3/keystone/common/sql/migrate_repo/versions/062_drop_assignment_role_fk.py	14:27
morganfainberg	So for the case of the Idp registration review I -1d the fix to not use the model shouldn't change anything.	14:27
morganfainberg	Uhh. Yeah that's a -1	14:28
*** gokrokve has quit IRC		14:29
*** ayoung is now known as ayoung-afk		14:29
dstanek	morganfainberg: which one is the idp registration review?	14:30
morganfainberg	https://review.openstack.org/#/c/152156/	14:32
morganfainberg	dstanek: looks like my comment was addressed. But I had -1d because they used the model to do the migration.	14:32
morganfainberg	Which is dangerous since the model could change.	14:32
morganfainberg	See Stevemar's follow up patch.	14:33
dstanek	morganfainberg: when i fixed that patch i didn't think about changing that part too. i just changed the query	14:36
breton	Folks, I think there is a problem with https://review.openstack.org/#/c/152156/40	14:36
dstanek	what's the problem?	14:37
breton	I'm getting ProgrammingError: column "ccc98bb335df46d796202bd8b0f65a5c" does not exist when I run the test on postgresql	14:37
breton	*the schema upgrade test	14:37
morganfainberg	breton: well 2 things: you run Postgres? (First person who has said as much openly)	14:37
morganfainberg	And 2: I assume it is because you have data in the db vs a clean migrate like what occurs in gate?	14:38
breton	morganfainberg: I test on mysql and on postgres	14:38
dstanek	it worked on mysql though?	14:38
breton	morganfainberg: I drop the db and create it before running the test	14:39
breton	dstanek: I will try now	14:39
morganfainberg	breton: can you see if the follow up patch also breaks in pgsql?	14:39
morganfainberg	Since it changes how migrate... Oh the upgrade test? Weird.	14:40
breton	morganfainberg: yes. I started with it.	14:40
breton	morganfainberg: then tried parent commit and it failed on the test too.	14:40
breton	mysql is ok though.	14:40
* morganfainberg votes OpenStack drop Postgres support because it is poorly tested at best - at worst it is horribly broken.		14:41
morganfainberg	Or we should use Postgres and really commit to it.	14:41
morganfainberg	But this supporting "all db engines sort of" bugs me.	14:41
breton	http://paste.openstack.org/show/197167/ -- log from postgres	14:42
morganfainberg	breton: we can boot it out of gate easily. But I'd like to know more of why it is broken before we do.	14:42
breton	*from test	14:42
breton	*with postgres	14:42
*** jorge_munoz has quit IRC		14:42
morganfainberg	breton: that is weird.	14:43
*** _cjones_ has joined #openstack-keystone		14:43
morganfainberg	Afict that shouldn't be happening from the query.	14:43
*** jorge_munoz has joined #openstack-keystone		14:43
morganfainberg	Or is that a bad error message from Oslo.db	14:44
morganfainberg	I don't see how that query is resulting in a column not found for the Idp-id value	14:44
*** jorge_munoz has quit IRC		14:44
morganfainberg	Or.. Is "column not found" Postgres way of saying no rows returned?	14:45
dstanek	i think that message is saying the row doesn't exist	14:46
breton	I don't think so.	14:46
breton	I think it is something about quotes	14:46
morganfainberg	SELECT idp_remote_ids.idp_id, idp_remote_ids.remote_id \nFROM idp_remote_ids \nWHERE idp_id="ccc98bb335df46d796202bd8b0f65a5c"' {}	14:46
breton	that "WHERE" is constructed somehow manually on line 738	14:46
morganfainberg	What is that {} at the end?	14:46
morganfainberg	Oh nvm.	14:47
breton	I don't know, but it's outside of single quotes	14:47
morganfainberg	breton: yeah that's why I said nvm	14:47
dstanek	i haven't looked at the code, but i would guess bindvars	14:47
dstanek	do you need spaces around the = for postgres?	14:47
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: Add domain_id checking in create_project https://review.openstack.org/159944	14:47
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: Add is_domain field in Project Table https://review.openstack.org/157427	14:47
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: Change domain_id FK in project table https://review.openstack.org/166354	14:47
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: Bye Bye Domain Table https://review.openstack.org/161854	14:48
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: Honor domain operations in project table https://review.openstack.org/143763	14:48
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: Stop calling domain drivers https://review.openstack.org/165936	14:48
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: Change project name constraint https://review.openstack.org/158372	14:48
*** jorge_munoz has joined #openstack-keystone		14:48
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: Restrict inherited role assignments to subdomains https://review.openstack.org/164180	14:48
morganfainberg	breton: yep manual where construction won't work.	14:48
morganfainberg	People seem to go out of their way to avoid using the orm	14:48
morganfainberg	breton: ok I can fix this in a quick follow up (rather than booting this out of gate) since this is a test issue. That work?	14:49
breton	morganfainberg: I'll do it (in fact, I already am)	14:49
morganfainberg	Ok sounds good.	14:49
morganfainberg	Thanks	14:49
morganfainberg	dstanek: you and I can pile on the review once breton posts it.	14:50
dstanek	sounds good	14:50
dstanek	wow, i had no idea - https://wiki.postgresql.org/wiki/Things_to_find_out_about_when_moving_from_MySQL_to_PostgreSQL	14:53
*** carlosmarin has joined #openstack-keystone		14:53
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: Creating domain and filtering by parent_id https://review.openstack.org/161378	14:53
dstanek	lots more differences in simple things than i expected	14:53
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: List projects filtering by is_domain flag https://review.openstack.org/158398	14:53
openstackgerrit	Dave Chen proposed openstack/keystone: Don't add unformatted project-specific endpoints to catalog https://review.openstack.org/144860	14:53
morganfainberg	dstanek: neat. We should yell at people for not using the orm. :P	14:54
bknudson	ceilometer is working on a cassandra backend.	14:56
breton	git review ignores my -R :(	14:58
*** _cjones_ has quit IRC		14:58
bknudson	there's probably a config option for rebasing.	14:58
*** _cjones_ has joined #openstack-keystone		14:59
*** davechen has left #openstack-keystone		15:07
morganfainberg	dstanek: wow some of the things professed as benefits of Postgres makes my skin crawl. Anytime someone advocates putting business logic in the db (aka functions/stored proceedures) is say they are doing it wrong. Now the views are nice especially since the MySQL version of those afaict don't update where you can have auto updating views in pgsql and oracle.	15:07
dstanek	i hate stored procedures	15:08
dstanek	i would love views - that's the only thing i miss from Oracle	15:08
dstanek	oh, i guess i miss all the money we spent too	15:08
bknudson	might as well just use a flat filesystem if you don't care about store procedures.	15:09
*** devlaps has joined #openstack-keystone		15:10
dstanek	bknudson: are you a fan?	15:10
j_king	postgresql is my preferred rdbms.	15:10
*** ajayaa has quit IRC		15:11
bknudson	dstanek: there's all sorts of things you can do if you're willing to tie yourself to a specific database... probably is anything slightly advanced won't be cross-db.	15:11
bknudson	"problem is"	15:11
amakarov	Greetings to all! A question: is 'list_revoked_tokens' still used somewhere? It appears to be a bottleneck...	15:12
openstackgerrit	Boris Bobrov proposed openstack/keystone: Use ORM in upgrade test instead of manual query construction https://review.openstack.org/168365	15:12
*** samueldmq has joined #openstack-keystone		15:14
gordc	bknudson: +1... 'jack of all trades' route is definitely restrictive.	15:15
morganfainberg	amakarov: it is intact used. It is how we generate the revocation list iirc.	15:16
morganfainberg	amakarov: at least I think that is where it is used. (Not the revocation events but the old list style)	15:17
amakarov	morganfainberg, thanks, so I can't just remove it... Sad.	15:18
morganfainberg	bknudson: I don't care about stored proceedures. Fork lifting business logic into the db engine results into all sorts of icky issues. It tends to also lead to bad design because "oh we can fix that in the db". There are always exceptions (often migration from one data set to another before all apps are updated, etc)	15:19
amakarov	morganfainberg, under high load memcache lock in token kvs backend quickly depletes max lock attempts	15:20
morganfainberg	amakarov: yep. Don't use memcache. No really don't. :(	15:20
morganfainberg	amakarov: this is another issue with persisted tokens. Either you suffer with locking in kvs or db sql table sizes and gap lock on flush	15:21
*** fifieldt has quit IRC		15:21
amakarov	morganfainberg, I'm tuning release based on juno and can't switch to Redis. Feel a bit BDSM victim :)	15:22
openstackgerrit	Merged openstack/keystone: IdP ID registration and validation https://review.openstack.org/152156	15:22
morganfainberg	amakarov: so, if you use uuid tokens. You could rip out all the house keeping/locking stuff if you don't care about revocation lists	15:23
morganfainberg	amakarov: but we can't do that upstream atm.	15:23
morganfainberg	Trust me, I'd like to make the TRL go away permanently.	15:24
amakarov	morganfainberg, that's really good news!	15:24
*** _cjones_ has quit IRC		15:24
morganfainberg	bknudson: It dawned on me that ksm dependencies become $project dependencies. Since ksm doesn't used a separate interpreter/venv. Icky :(	15:26
morganfainberg	amakarov: something we could enhance in liberty when revocation events become really a first class supported option in middleware	15:27
bknudson	are ksm dependencies that bad?	15:27
*** gyee has joined #openstack-keystone		15:29
*** ChanServ sets mode: +v gyee		15:29
amakarov	morganfainberg, I was surprised to find TRL instead of revocation events in middleware :)	15:30
*** samueldmq_ has joined #openstack-keystone		15:31
*** stevemar has joined #openstack-keystone		15:34
*** ChanServ sets mode: +v stevemar		15:34
*** samueldmq has quit IRC		15:34
dstanek	morganfainberg: you would recommend against the memcached backend for tokens?	15:35
dstanek	i would too, but i'm curious what the official position is	15:35
morganfainberg	dstanek: I recommend sql backend tbh	15:36
morganfainberg	For pre kilo	15:36
dstanek	what about for k?	15:36
morganfainberg	Kilo and later I'd say Fernet	15:36
morganfainberg	Even being new	15:36
dstanek	i ask because https://review.openstack.org/#/c/167692/7/doc/install-guide/section_keystone-install.xml	15:36
morganfainberg	It solves the biggest scale issue with keystone.	15:36
morganfainberg	The memcache backend would have been deleted if I though I could do so without being lynched	15:37
morganfainberg	It is awful with a ton of really bad housekeeping things to address some design decisions that were regretted later on. (The TRL)	15:38
breton	morganfainberg: I've raised a question about fernet tokens in the ml	15:38
breton	morganfainberg: I don't quite see how to use them on multi-node setup	15:39
amakarov	morganfainberg, m.b. Redis? ;)	15:39
morganfainberg	breton: yes. Today the answer is the same as the pki stuff. It really is on the deployed to maintain. Next cycle that will be looked at so we can make fernet a default if we wanted to	15:39
breton	so	15:39
breton	sql backend is slow as hell	15:39
morganfainberg	amakarov: redis only solves the issue with persistence in memcache.	15:39
breton	memcache should not be used	15:40
breton	fernet are not ready for multi-node setup	15:40
breton	looks depressing :)	15:40
morganfainberg	breton: and the memcache backend is a tram wreck because it is beig used for the wrong thing. Memcache is not persistent store.	15:40
dstanek	breton: why do you say that?	15:40
morganfainberg	breton: the best answer is sql.	15:40
breton	dstanek: say what? About fernet?	15:40
morganfainberg	breton: the issue is most people run untuned MySQL and complain the performance is bad.	15:40
amakarov	morganfainberg, yes, I compare it to memcache and sql - Fernet is awsome without question )	15:41
dstanek	breton: i got it working fine with a test multnode setup	15:41
breton	dstanek: how do you sync keys?	15:41
dstanek	breton: ansible	15:41
dstanek	you could use all kinds of stuff to sync them based on your environment	15:41
morganfainberg	breton: ansible, drbd, etc	15:41
breton	are they ha? Will they work if one of the nodes go down?	15:42
morganfainberg	We didn't try and solve that issue at this point. Solving may be documentation and recommending options for syncing	15:42
dstanek	breton: they were both behind the load balancer	15:42
morganfainberg	But syncing files of a particular type around is a long solved devops (hate that word) problem	15:43
dstanek	the design of how the keys rotate makes it work nicely in multi node since the "next" key is synced before it is used	15:43
*** mattamizer has joined #openstack-keystone		15:43
morganfainberg	So we figured that was a way to smooth out rough edges the next cycle. Even if that is just documentation.	15:43
morganfainberg	dstanek: ++	15:44
* breton doesn't have enough devops skills		15:44
dstanek	+100 for Keystone not dealing with the sync - it's a configuration management issue	15:44
rodrigods	stevemar, in the ECP and relay_state patches, I changed the controller to use directly the config and it seemed to work	15:44
stevemar	rodrigods, link?	15:44
morganfainberg	dstanek: exactly. It might be just docs. But docs and recommendations go a long way.	15:44
breton	but I still do not see how current implementation can be synced without the master node	15:44
rodrigods	stevemar, https://review.openstack.org/#/c/166078/7	15:45
morganfainberg	breton: it can be synced either way. Make a key, sync, then rotate as you want.	15:45
dstanek	i ran the rotation on one node and synced to the others	15:45
morganfainberg	breton: you always sync a key (either direction) before you use it	15:45
*** mattamizer has quit IRC		15:46
breton	dstanek: what if the node supposed to run the rotation and push the new key gets broken?	15:46
morganfainberg	It doesn't need a dedicated node to sync it just needs a node to perform the new key generate (any node), that is then used to sync.	15:46
morganfainberg	breton: use the other node. Any node can generate. Sync from whatever node you generate from.	15:47
dstanek	breton: right. if the process of generating the new key fails then whatever you are automating the process with should tell you that	15:48
*** kodoku has quit IRC		15:48
dstanek	also i mentioned this to lbragstad, it would be nice to have a simple way to generate keys without a full keystone installation	15:49
morganfainberg	dstanek: ++	15:49
morganfainberg	things to work on for next cycle.	15:50
breton	dstanek: well, it's not how high availability works, doesn't it?	15:50
lbragstad	dstanek: first iteration https://github.com/lbragstad/revolver	15:50
*** _cjones_ has joined #openstack-keystone		15:50
morganfainberg	breton: if any node can be used and you can sync from that node, I don't see how you're missing on the HA front.	15:50
dstanek	breton: the key rotation doesn't have to be HA in the same way that a running system needs to be	15:50
morganfainberg	It's not something that happens every 30seconds or even every 30minutes usually.	15:51
breton	morganfainberg: really? Then how often should keys be rotated?	15:51
dstanek	say you rotate every hour. something happens and that process fails. the system is still available while the ops team fixes rotation	15:51
lbragstad	dstanek: ++ that's part of the benefit behind the staging key	15:52
dstanek	breton: daily or much longer is probably going to be very common	15:52
morganfainberg	dstanek: my guess is 1-2 days is likely. Weekly is the outside edge of what people will do.	15:53
* breton would like to see some math to find out how often it should be		15:53
breton	because http://lbragstad.com/?p=133 talks about minutes	15:53
lbragstad	breton: yeah, that's an example for the sake of easy math	15:54
morganfainberg	breton: how much time does it take to reverse out an aes and hmac key pair.	15:54
dstanek	it will have to be at least (mins_needed_for_longest_operation / (num_active_keys * expected_rotation))	15:54
morganfainberg	dstanek: token_ttl	15:54
morganfainberg	Not mins for operation	15:55
morganfainberg	But same effect.	15:55
dstanek	morganfainberg: the token_ttl could be 1 day, but if you rotation ever minute and only allow 3 active keys then the effective ttl is 3 minutes	15:56
morganfainberg	Right. I'd argue that rotation should always be calculated on ttl (barring exceptional circumstances) not	15:56
morganfainberg	Expected length of time for max length operation	15:56
morganfainberg	Just when we communicate it to people	15:57
dstanek	i'd totally agree - was just showing the minimum	15:57
morganfainberg	We are in vehement agreement	15:57
*** ayoung-afk is now known as ayoung		15:59
rodrigods	stevemar, should the relay_state be returned in the service_catalog?	15:59
ayoung	j_king, a dev after my own heart. Prefer postgresql, and glad to see Stonebraker won the Turing.	16:01
*** _cjones_ has quit IRC		16:01
ayoung	morganfainberg, so, rcrit had an interesting suggesting. Ipsilon has a plugin that uses pam to read users and groups. We could run devstack to set up islinlon, create a local user, and use that for SAML testing	16:02
*** _cjones_ has joined #openstack-keystone		16:02
*** ajayaa has joined #openstack-keystone		16:02
ayoung	No external dependencies	16:02
*** thedodd has joined #openstack-keystone		16:04
*** gokrokve has joined #openstack-keystone		16:08
rodrigods	stevemar, I fixed the tests here but removed the RELAY_STATE_PREFIX constant from federation/core.py and I'm using the config directly... if you are ok with it I can submit	16:08
*** csoukup has joined #openstack-keystone		16:09
openstackgerrit	henry-nash proposed openstack/keystone: Update configuration documentation for domain config https://review.openstack.org/165754	16:11
stevemar	rodrigods, definitely doesn't need to be in the service catalog	16:11
stevemar	rodrigods, the changes sound fine, go ahead boss	16:11
*** browne has joined #openstack-keystone		16:11
rodrigods	stevemar, great, just running the tests again here	16:12
stevemar	apparently i broke something in the tests	16:12
stevemar	rodrigods, oh, rename the file to 008, i bet that's it	16:12
ayoung	stevemar, running websso patches against horizon, I get this:	16:12
ayoung	2015-03-27 16:11:02.395195 File "/opt/stack/django_openstack_auth/openstack_auth/user.py", line 28, in set_session_from_user	16:12
ayoung	2015-03-27 16:11:02.395197 request.session['token'] = user.token	16:12
ayoung	2015-03-27 16:11:02.395199 AttributeError: 'NoneType' object has no attribute 'token'	16:12
ayoung	This is after the redirect back from the SAML IdP	16:13
ayoung	what did I break?	16:13
ayoung	do I need an auth plugin for KC? I assume not.	16:15
rodrigods	stevemar, the error is because it is creating a non-nullable column without a default value	16:17
stevemar	ayoung, there's still DOA work that needs to be rebased	16:20
ayoung	stevemar, OK...so Work is in progress...I have to wait.	16:20
stevemar	they current DOA patch for federation doesn't use the auth plugins yet	16:20
ayoung	I hate waiting	16:20
stevemar	me too	16:20
*** lhcheng_afk has joined #openstack-keystone		16:22
ayoung	stevemar, so, what needs to happen? I want to make sure I understand the path to having a workable WebSSO in Kilo.	16:23
ayoung	DOA needs to support Auth plugins	16:23
ayoung	and then ... we use the Federation plugin for this.	16:23
*** gokrokve has quit IRC		16:23
ayoung	Do we need a special auth plugin for Horizon? THe redirect to Keystone triggers the call to the IDP, when gets the assertion, goes back to Keystone, gets the token, posts the token to Horizon	16:24
ayoung	at that point, we should have an unscoped token. DOA should use it just like any other unscoped token	16:24
ayoung	Wher does the auth plugin fit in?	16:25
*** krykowski has quit IRC		16:26
stevemar	ayoung, hooold up, you're moving too fast for me - "DOA needs to support auth plugins" jamielennox just delivered this, it's merged	16:28
ayoung	stevemar, right.	16:29
stevemar	ayoung, we would actually use a token plugin, not a federation plugin. i think lhcheng_afk is trying to rework the current patch to use auth plugins	16:29
ayoung	And the DOA WebSSO patch is -1 cuz he's reqbasing on top of that	16:29
stevemar	right	16:29
ayoung	Ah...ok, token plugin makes sense	16:29
ayoung	coo	16:29
stevemar	and yes, you are right - it would work like any other token at that point, it's unscoped and will list projects	16:30
ayoung	stevemar, what do you think of my proposal to have Ipsilon in devstack using a local user and pam as our way of testing Federation?	16:30
stevemar	ayoung, it's good to have options, dstanek was doing some stuff with pysaml2 for functional testing, could easily be ported to devstack	16:31
stevemar	using pysaml2 as an idp	16:31
stevemar	super easy review: https://review.openstack.org/#/c/168244/	16:32
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Add API to create ecp wrapped saml assertion https://review.openstack.org/162866	16:32
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Add relay_state_prefix to Service Provider https://review.openstack.org/166078	16:32
rodrigods	stevemar, gyee ^	16:33
ayoung	stevemar, +2A	16:33
stevemar	ayoung, there's one more i had for EP filter... https://review.openstack.org/#/c/168241/	16:34
stevemar	poor EP filter, it's so neglected	16:34
ayoung	done	16:35
dstanek	stevemar: ayoung: i'd love not to use pysaml2	16:35
stevemar	rodrigods, before you switch branches...	16:35
stevemar	rodrigods, change 007 to 008	16:36
stevemar	otherwise the migration won't happen	16:36
rodrigods	stevemar, is there a 007 script?	16:36
stevemar	yep	16:36
stevemar	https://github.com/openstack/keystone/tree/master/keystone/contrib/federation/migrate_repo/versions	16:36
rodrigods	stevemar, didn't show up in the rebase here	16:36
stevemar	rodrigods, just landed	16:36
rodrigods	stevemar, ah, cool	16:36
ayoung	dstanek, I think ipsilon makes sense for this. I would be in the HTTPD server config, and, just like everything else, would need to make space in the namespace of the server by bumping Horizon down one level	16:37
dstanek	i'll have to read up on it this weekend	16:37
stevemar	rodrigods, the rename and 1 spot in test_backend_federation	16:38
*** atiwari has joined #openstack-keystone		16:39
*** afazekas has quit IRC		16:40
openstackgerrit	Victor Sergeyev proposed openstack/keystone: Fix for migration 062 on MySQL https://review.openstack.org/168003	16:43
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Add API to create ecp wrapped saml assertion https://review.openstack.org/162866	16:46
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Add relay_state_prefix to Service Provider https://review.openstack.org/166078	16:46
gyee	rodrigods, thanks!	16:46
*** lhcheng_afk is now known as lhcheng		16:50
*** bknudson has quit IRC		16:51
*** henrynash has quit IRC		16:55
*** tqtran has joined #openstack-keystone		17:03
*** asselin has left #openstack-keystone		17:04
ayoung	stevemar, ok...so for the Kerberos and SSSD approach, I want to use Federation, but I don't need to go to a remote IDP; Keystone can do everything it needs to issue a token. I assume I need the DIOA using Token PLugin piece to make that work...what about on the KEystone side?	17:05
ayoung	Instead of the protocol being SAML, it really is HTTP+Kerberos	17:05
ayoung	so, lets say we call it Kerberos (and get yelled at by the Pedants later)	17:06
ayoung	My Horizon is currently using mod_mellon to redirect to Keystone...Horizon would have to do that itself	17:06
*** henrynash has joined #openstack-keystone		17:08
*** ChanServ sets mode: +v henrynash		17:08
*** _cjones_ has quit IRC		17:08
morganfainberg	ayoung: I think ipsilon via devstack has potential. Keeping all in-node is much easier than trying to roll it multi node	17:08
ayoung	++	17:10
morganfainberg	ayoung: I'll obviously need to see ipsilon in action and all that. But it's a decent idea for a real (not awful) Idp	17:10
morganfainberg	Not based on silly pysaml lib	17:10
ayoung	morganfainberg, I'm going to get isplion up on younglogic.net	17:10
morganfainberg	ayoung: so, can I do the needed bind to younglogic.net to treat it as an ldap identity. Backend?	17:12
ayoung	morganfainberg, there is a PAM plugin for Ipsilon, so it can use local users.	17:12
morganfainberg	I'm trying out a deployment were sql is the default identity driver, and default domain is a per-domain configuration	17:12
ayoung	FOr Devstack, we'd probably use "stack" or sometjhing	17:12
ayoung	Ah	17:13
ayoung	You need a public LDAP server...	17:13
ayoung	I think so.	17:13
*** jistr has quit IRC		17:13
*** gokrokve has joined #openstack-keystone		17:13
morganfainberg	I just feel lazy and would rather not setup a 1-off if your server can act as it for my testing / documentation purposes.	17:14
morganfainberg	If not I'll spin up openldap but if it is already somewhere I can use, that is better.	17:14
ayoung	morganfainberg, firewall port is not open, but other than that, it is ready to go	17:15
gyee	morganfainberg, stevemar, henrynash, lhcheng, we should be able to update the doc as a bug right? https://review.openstack.org/#/c/167939/	17:16
ayoung	actually	17:16
stevemar	gyee, i would think so?	17:16
morganfainberg	Cool I'll ping you once I'm ready to test this (next week). I'm looking for a way to help people migrate from v2 backends to ldap + v3.	17:16
stevemar	i mean... we're correcting it, but it's morganfainberg 's call at the end	17:16
morganfainberg	Since people just want to mostly add service users in and migrate to v3 etc.	17:17
gyee	stevemar, agreed	17:17
morganfainberg	ayoung: and a lot of people aren't off v2 so this helps bridge the gap.	17:17
morganfainberg	gyee, stevemar, lhcheng: so new api. Do we need that api to unbreak something or can it defer to liberty?	17:19
*** henrynash has quit IRC		17:20
morganfainberg	As in it is just not exposed but nothing needs it atm.	17:20
gyee	right	17:20
gyee	that API was never exposed	17:20
ayoung	morganfainberg, so the only issue with the younglogic.net IPA server is that is Version 3, and version 4 has the much prettier UI. I was hoping to upgrade it, but I'll keep it stable as long as you need it	17:21
morganfainberg	So then we defer to liberty if it isn't really going to break anything.	17:21
morganfainberg	ayoung: nah. Upgrade away as long as you don't mind me using ldap stuffs.	17:22
morganfainberg	Or I can wait till you upgrade.	17:22
morganfainberg	No big deal.	17:22
ayoung	morganfainberg, it is not on my short list of things to do.	17:22
ayoung	I was really just doing the coder equivalent of "Sorry my house is so messy" that you get when you walk into the house of someone significantly neater than you are.	17:23
gyee	morganfainberg, I am fine with defer it to L	17:23
morganfainberg	ayoung: hehe ok.	17:24
openstackgerrit	Steve Martinelli proposed openstack/keystone-specs: Update path for listing a project's endpoint groups https://review.openstack.org/168427	17:25
stevemar	gyee, morganfainberg lhcheng ^	17:26
lhcheng	stevemar: thanks!	17:26
*** davidckennedy has quit IRC		17:26
morganfainberg	stevemar: I think this is a defer to L unless we are really breaking something without this.	17:26
stevemar	morganfainberg, we're not, but the API is broken	17:27
gyee	we are unbreaking the broken API	17:27
morganfainberg	stevemar: the api doesn't work, what doesn't work?	17:27
stevemar	morganfainberg, the code and tests are all there, the route/patch never existed	17:27
morganfainberg	So what (besides this specific api call) is really not working?	17:28
stevemar	the API said go to: /endpoint_groups/projects/{id}, but this route was never handled by keystone server side	17:28
stevemar	thats it	17:28
morganfainberg	How big of an impact to the user is it?	17:28
* stevemar shrugs		17:28
gyee	there's no user impact as that API was never exposed	17:29
morganfainberg	"It is a bloody awful ux not to have this we should fix it for kilo" or "meh, no one uses this anyway or feels it is missing" or "oh hell why do we even have this api, it is useless"	17:29
gyee	but if there's a reference implementation of Keystone out there written in Go, sucks for them	17:29
morganfainberg	Pick one. ;)	17:29
gyee	2)	17:30
stevemar	yeah 2_	17:30
morganfainberg	Then we should just probably defer to liberty.	17:30
stevemar	if no one noticed it didn't exist in all of Juno and most of kilo dev, then no one uses it anyway	17:30
stevemar	alright, lets untarget the bug for kilo-rc1 then!	17:30
morganfainberg	stevemar: and I'll toss some -2s around.	17:31
* morganfainberg really wants a new column: -1 "feature freeze" that the ptl gets		17:32
stevemar	lol	17:32
gyee	no argument here	17:32
morganfainberg	So I can easily tell if it is feature freeze or -2 "oh hell no"	17:32
stevemar	morganfainberg, now if there was a way to automatically set that flag during RC time for every new patch, you're set ;)	17:33
morganfainberg	I could make a bot at that point. Easy	17:33
openstackgerrit	Merged openstack/keystone: add test of /v3/auth/catalog for endpoint_filter https://review.openstack.org/168210	17:34
morganfainberg	stevemar: maybe we can make it -2 workflow and make that sticky	17:35
* morganfainberg should ask infra.		17:35
*** henrynash has joined #openstack-keystone		17:38
*** ChanServ sets mode: +v henrynash		17:38
* morganfainberg asks jeblair in -infra		17:38
openstackgerrit	Steve Martinelli proposed openstack/keystone: Change the way values are migrated for 007_add_remote_id_table https://review.openstack.org/168239	17:41
stevemar	morganfainberg, addressed your concern here ^	17:41
morganfainberg	stevemar: yep! Thanks	17:42
morganfainberg	It wasn't a blocker to land the patch because the model hadn't changed but it needed to happen before rc	17:42
*** henrynash has quit IRC		17:43
*** _cjones_ has joined #openstack-keystone		17:44
*** spandhe has joined #openstack-keystone		17:47
rodrigods	morganfainberg, do we have a new ksc release? I remember there was a discussion to release it earlier this week	17:47
morganfainberg	rodrigods: yes I released on wed. Looks like announcement email got stuck in my outbox	17:48
rodrigods	morganfainberg, thanks!	17:49
*** bknudson has joined #openstack-keystone		17:49
*** ChanServ sets mode: +v bknudson		17:49
*** chuckcarmack has joined #openstack-keystone		17:51
openstackgerrit	Merged openstack/keystone: Remove empty request bodies https://review.openstack.org/168244	17:53
openstackgerrit	Merged openstack/keystone: Remove unnecessary import that was not checked https://review.openstack.org/168241	17:53
*** iwi has joined #openstack-keystone		17:54
iwi	hi there, is it possible tell python-keystoneclient that it should only use public endpoint ?	17:55
openstackgerrit	Lin Hua Cheng proposed openstack/keystone: Add routing for list_endpoint_groups_for_project https://review.openstack.org/167939	18:07
ayoung	nkinder, look what I just fouind in the log: 2015-03-27 18:09:05.415336 Websso is enabled but your keystone does not support it.	18:09
ayoung	2015-03-27 18:09:05.415373 Please use keystone version 3 or above.	18:09
bknudson	stevemar: you signed up for the openstack booth at pycon?	18:11
bknudson	maybe you can tag team with dstanek	18:11
ayoung	stevemar, how are we supposed to enumerate the set of values in the "Authenticate Using" box in Horizon? Something in local_settings.py	18:12
*** chuckcarmack has left #openstack-keystone		18:13
*** ericksonfgds_ has joined #openstack-keystone		18:17
stevemar	bknudson, i did - one way or another i'll get there	18:20
stevemar	bknudson, train for $60 + crash at gordc's place - booya	18:20
stevemar	gordc, btw	18:20
gordc	lol!	18:22
gordc	i should warn you my couch is meant for a child but sure.	18:22
dstanek	openstack booth?	18:22
*** afazekas has joined #openstack-keystone		18:23
*** amakarov is now known as amakarov_away		18:29
*** gyee has quit IRC		18:32
openstackgerrit	Priti Desai proposed openstack/keystone: Fix for listing role assignments by project admin https://review.openstack.org/168443	18:32
stevemar	gordc, i'm kidding / not kidding...	18:33
stevemar	gordc, should get funding, i think	18:33
dstanek	stevemar: does that mean you'll be at PyCon?	18:36
*** afazekas has quit IRC		18:37
gordc	errr ok. you can sleep at our office. it's a 5 min walk.	18:37
stevemar	dstanek, yep	18:38
gordc	stevemar: don't wake up the other people though.	18:38
dstanek	stevemar: i still have to get a hotel booked	18:38
stevemar	gordc, i'm good with a couch :P	18:39
stevemar	dstanek, gordc i should hear about funding by EOD... the free passes that the foundation was offering definitely helps	18:40
* gordc goes to set up airbnb for the office.		18:40
dstanek	stevemar: i wish i know about free passes - would have save $400	18:40
bknudson	how do you get the pass?	18:40
stevemar	dstanek, i just heard about it yesterday	18:41
bknudson	say you work for a poor company?	18:41
stevemar	it was on a mailing list	18:41
bknudson	the ceo is barely making it.	18:41
gordc	stevemar: aight. let me know.	18:41
stevemar	http://lists.openstack.org/pipermail/community/2015-March/001040.html	18:41
dstanek	now i'm looking for a cheap, but close hotel	18:41
stevemar	bknudson, dstanek	18:41
stevemar	^	18:41
bknudson	it's hardly volunteering when you're getting 400 for it.	18:42
stevemar	getting a pass that is valued at 400	18:43
dstanek	hey, that's my kind of volunteering	18:43
openstackgerrit	Merged openstack/keystone: Use ORM in upgrade test instead of manual query construction https://review.openstack.org/168365	18:50
*** carlosmarin has quit IRC		19:02
ayoung	lhcheng, I'm trying out your patch...pre-Jamies change	19:09
*** carlosmarin has joined #openstack-keystone		19:09
ayoung	For Django Openstack Auth	19:09
ayoung	lhcheng, and the Horizon server seems to be unhappy with me	19:10
ayoung	You around to talk this over?	19:10
lhcheng	ayoung: yes, did you apply the Horizon patch too?	19:10
ayoung	lhcheng, yes	19:11
ayoung	and it seems to be working somewhat	19:11
ayoung	I have set this in the local_settings:	19:11
lhcheng	ayoung: what Horizon error are you seeing?	19:11
ayoung	WEBSSO_ENABLED=True	19:11
ayoung	OPENSTACK_API_VERSIONS = {	19:11
ayoung	"identity": 3,	19:11
ayoung	}	19:11
ayoung	WEBSSO_CHOICES = (	19:11
ayoung	("credentials", _("Keystone Credentials")),	19:11
ayoung	("saml2", _("Security Assertion Markup Language"))	19:11
ayoung	)	19:11
ayoung	WEBSSO_INITIAL_CHOICE = "saml"	19:11
ayoung	and	19:11
ayoung	OPENSTACK_KEYSTONE_URL="http://192.168.1.61:5000/v3	19:11
ayoung	So, first stop, I hit the top level URL and get redirect to login	19:12
ayoung	So far so good	19:12
lhcheng	ayoung: okay.. the local_settings looks right	19:12
ayoung	the initial choices seems to be ignored	19:12
ayoung	It is set on Credentials, not SAML	19:12
ayoung	ah...	19:12
lhcheng	ayoung, WEBSSO_INITIAL_CHOICE = "saml2"	19:12
ayoung	saml2...ok, let me fix that	19:13
ayoung	One bug down!	19:13
ayoung	Ok, so now it defaults to "Security Assertion Markup Language"	19:13
ayoung	no visible fiels except a submit button	19:13
ayoung	HIt connect and it spins until timeout	19:14
*** ajayaa has quit IRC		19:14
lhcheng	ayoung, So.. the button name should be changing depending on the value of the dropdown	19:15
ayoung	It says connect right now	19:15
ayoung	I think that is right	19:15
lhcheng	ayoung: okay	19:16
lhcheng	ayoung, does Horizon try to redirect you to another page?	19:16
ayoung	Nope	19:16
lhcheng	did the url in the browser changed?	19:16
ayoung	nope	19:17
ayoung	let me pull up the saml tracer	19:17
ayoung	that shows it doing a POST to /auth/login	19:17
bknudson	I wonder if having a stable/ branch for keystoneclient doesn't give us a little more leeway for a 2.0.	19:18
ayoung	lhcheng, nothing in horizon log. I can try and put in a breakpoint somewhere, but where?	19:19
lhcheng	ayoung: right, and DOA should process that POST request and perform a redirect to http://192.168.1.61:5000/v3/auth/OS-FEDERATION/websso/saml2?origin=XXX	19:19
ayoung	lhcheng, something is hanging.	19:19
lhcheng	ayoung: somewhere in line 65: https://review.openstack.org/#/c/136178/21/openstack_auth/views.py	19:20
*** gsilvis has quit IRC		19:21
ayoung	lhcheng, nah, it hits that code on an earliert form, but doesn't seem to go through it again	19:21
ayoung	thee _init__ function I mean	19:21
*** gsilvis has joined #openstack-keystone		19:22
ayoung	sorry, wrong file	19:22
ayoung	I was in forms, not views	19:22
*** afazekas has joined #openstack-keystone		19:24
*** atiwari has quit IRC		19:25
ayoung	OK, redirect url is	19:25
ayoung	http://192.168.1.61:5000/v3/auth/OS-FEDERATION/websso/saml2?origin=http://federate.cloudlab.freeipa.org/auth/websso/	19:25
*** atiwari has joined #openstack-keystone		19:25
lhcheng	ayoung: can you access that if you hit it from your browser?	19:25
ayoung	trying now	19:25
ayoung	lhcheng, interesting...it seems to be hanging now, too	19:27
ayoung	let me kill the browser and restart the web server	19:27
lhcheng	ayoung: okay	19:27
*** gokrokve has quit IRC		19:30
*** gokrokve has joined #openstack-keystone		19:31
*** gokrokve has quit IRC		19:31
*** afazekas has quit IRC		19:32
*** devlaps has quit IRC		19:36
lhcheng	ayoung: heading out for lunch, brb	19:47
*** lhcheng is now known as lhcheng_afk		19:47
ayoung	lhcheng, OK. THanks	19:47
*** rushiagr is now known as rushiagr_away		19:52
ayoung	nkinder, something is wonky. Now the Keystone redirect is going to	19:54
ayoung	http://192.168.1.61:5000/v3/OS-FEDERATION/identity_providers/ipsilon/protocols/saml2/auth/mellon/login	19:54
ayoung	weeeird	19:54
nkinder	what is redirecting you there? Horizon?	19:54
nkinder	ayoung: I think that's where the assertion is posted, and mellon handles it	19:55
nkinder	ayoung: look in your SP metadata	19:55
ayoung	nkinder, looking	19:55
ayoung	nkinder, in idp-metadata.xml	19:56
nkinder	ayoung: no, http_<keystone-fqdn>_metadata.xml	19:56
ayoung	nothin points to port 5000	19:56
ayoung	http_federate.cloudlab.freeipa.org_keystone.xml	19:57
nkinder	yeah, that one	19:57
ayoung	nkinder, not quite	19:58
nkinder	ayoung: can you pastebin your xml file?	19:59
ayoung	wilco	19:59
*** gokrokve has joined #openstack-keystone		19:59
ayoung	nkinder, http://paste.openstack.org/show/197222/	20:00
nkinder	ayoung: ok, so it should be postResponse	20:00
nkinder	ayoung: have you looked at the series of redirects that is happening?	20:01
ayoung	nkinder, I wonder why it is just hanging...but it looks to be a disconnect between Horizon and Mellon then?	20:01
ayoung	That was the first one	20:01
ayoung	I tried with curl	20:02
nkinder	what URL did you hit with curl?	20:02
ayoung	<p>The answer to your request is located <a href="http://192.168.1.61:5000/v3/OS-FEDERATION/identity_providers/ipsilon/protocols/saml2/auth/mellon/login?ReturnTo=http%3A%2F%2F192.168.1.61%3A5000%2Fv3%2Fauth%2FOS%2DFEDERATION%2Fwebsso%2Fsaml2%3Forigin%3Dhttp%3A%2F%2Ffederate.cloudlab.freeipa.org%2Fauth%2Fwebsso%2F&IdP=https%3A%2F%2Fipa.cloudlab.freeipa.org%2Fidp%2Fsaml2%2Fmetadata">here</a>.</p>	20:02
ayoung	Um	20:02
ayoung	http://192.168.1.61:5000/v3/auth/OS-FEDERATION/websso/saml2?origin=http://federate.cloudlab.freeipa.org/auth/websso/	20:02
nkinder	ok, and that goes to your IdP first, right?	20:02
nkinder	then the assertion is posted back?	20:03
ayoung	yeah, that is the URL that horizon redirects me to. It was working earlier...or so I thought.	20:03
nkinder	ayoung: I don't understand. You are hitting keystone with curl. At what point does it get to Horizon?	20:04
nkinder	it should go keystone->idp->keystone->horizon	20:04
ayoung	nkinder, I started with:	20:04
ayoung	http://federate.cloudlab.freeipa.org/	20:05
ayoung	that redirects to	20:05
ayoung	http://federate.cloudlab.freeipa.org/auth/login/?next=/	20:05
ayoung	that renders fine. I hit "Connect"	20:05
ayoung	and it was spinning forever	20:05
ayoung	so I started tracing using the SAML plugin in FIrefox and got the redirect to	20:05
ayoung	POST http://federate.cloudlab.freeipa.org/auth/login/	20:06
ayoung	rather, that is what I posted, and then	20:06
*** ericksonfgds_ has quit IRC		20:07
*** afazekas has joined #openstack-keystone		20:07
ayoung	Hmmm, not sure where I made the connection with the Keystone url...saw it in some earlier tracing	20:09
ayoung	ah...I know	20:09
ayoung	it was from rpdb in the DOA code	20:09
raildo	dstanek, ayoung bye bye domain table: http://paste.openstack.org/raw/197223/ :P	20:09
ayoung	hast la vista	20:10
stevemar	whoa, i been in meetings for about 2 hrs, and i return to see ayoung deep in sso code	20:12
ayoung	http://federate.cloudlab.freeipa.org:5000/v3/auth/OS-FEDERATION/websso/saml2 seems to redirect	20:12
ayoung	is that the same URL	20:12
ayoung	nkinder, ah, IP address versus hostname	20:13
ayoung	Guessing that Apache is being picky there	20:13
nkinder	doh	20:13
ayoung	let me see if I did that	20:13
*** ericpete_ has joined #openstack-keystone		20:13
mfisch	hey keystoners, when you rescope a token do you get a new expiration?	20:13
bknudson	mfisch: you get the same expiration	20:14
mfisch	thanks bknudson	20:14
mfisch	so much for your hax0r ericpete_	20:14
ericpete_	thanks bknudson	20:14
ayoung	{"error": {"message": "Unable to reconcile identity attribute user_id as it has conflicting values admin and 1c07ce91fa64470db1a6a17dac553df2 (Disable debug mode to suppress these details.)", "code": 401, "title": "Unauthorized"}}	20:14
bknudson	it's easy to test	20:14
ayoung	new message erre!	20:14
ayoung	error!	20:14
ayoung	stevemar, I'm close to having a working round trip here.	20:15
stevemar	ayoung, that one is not coming from federation-y stuff	20:16
mfisch	I like that word ^	20:16
ayoung	stevemar, Its in Keystone	20:17
ayoung	its the response from when ipsilon redirects back	20:17
ayoung	which was working before, so...	20:17
stevemar	ayoung, yeah, i meant it's not from keystone/contrib/federation (or at least i don't think so...)	20:17
stevemar	mfisch, i'm great at making up words	20:17
ayoung	stevemar, its from websso code	20:18
stevemar	thats my excuse for poor spelling	20:18
ayoung	http://federate.cloudlab.freeipa.org:5000/v3/OS-FEDERATION/identity_providers/ipsilon/protocols/saml2/auth/mellon/postResponse	20:18
ayoung	so...mod_auth_mellon	20:18
*** timcline has quit IRC		20:19
*** timcline has joined #openstack-keystone		20:20
ayoung	nop;e	20:20
ayoung	"GET /v3/auth/OS-FEDERATION/websso/saml2?origin=http://federate.cloudlab.freeipa.org/auth/websso/ HTTP/1.1" 401 230 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0"	20:20
nkinder	ayoung: that's because federation can map to real users now	20:20
nkinder	ayoung: so you can't use the same username for a federated user as one who exists in the identity backend for the same domain	20:20
ayoung	must have picked up admin instead of ayoung...bet I messed with ipsilon	20:21
nkinder	yeah, that would make sense	20:21
ayoung	yeah,. ips thinks I'm logged in	20:21
nkinder	ayoung: logout from ipsilon, kill the mellon cookie, and try it fresh	20:22
nkinder	...and use ayoung	20:22
ayoung	ok...back to	20:22
ayoung	AttributeError at /auth/websso/	20:22
ayoung	'NoneType' object has no attribute 'token'	20:22
*** lhcheng_afk is now known as lhcheng		20:22
ayoung	stevemar, http://paste.openstack.org/show/197226/	20:23
ayoung	I get that now	20:23
*** david8hu has quit IRC		20:24
ayoung	I'm using lhcheng 's webssso patch for DOA pre-jamie's patch	20:24
*** jeffDeville has joined #openstack-keystone		20:24
*** david8hu has joined #openstack-keystone		20:24
nkinder	ayoung: have you traced things and verified that you are getting a token back in the javascript?	20:24
ayoung	above that I see	20:24
ayoung	2015-03-27 20:22:29.818902 No authentication backend could be determined to handle the provided credentials. This is likely a configuration error that should be addressed.	20:24
ayoung	2015-03-27 20:22:29.820037 Internal Server Error: /auth/websso/	20:24
ayoung	nkinder, I was before. I think the problem is Django trying to handle it	20:25
nkinder	sounds like it	20:25
lhcheng	ayoung: you might need to get the PS 20 of DOA patch	20:26
ayoung	looking	20:26
lhcheng	ayoung, the error msg you got is related to the new plugin code	20:26
ayoung	lhcheng, I am on 20	20:26
ayoung	at least, I thought I was...	20:27
ayoung	commit 6197368e92fbe71e16f832914d49d242f9cb110f	20:27
ayoung	nope...21	20:27
ayoung	ok..that makes sense...	20:27
ayoung	KeystoneAuthException at /auth/websso/	20:28
ayoung	An error occurred authenticating. Please try again later.	20:28
ayoung	OK, new error	20:28
ayoung	lhcheng, http://paste.openstack.org/show/197228/	20:30
ayoung	lhcheng, want me to put a break point in there and see what is causing it?	20:31
openstackgerrit	Steve Martinelli proposed openstack/keystone: Change the way values are migrated for 007_add_remote_id_table https://review.openstack.org/168239	20:32
stevemar	morganfainberg, dstanek ^ that should be the last patch for one of the FFEs	20:33
lhcheng	ayoung: yeah, that would be great	20:34
dstanek	stevemar: cool, i	20:34
dstanek	'll take a look in a few	20:34
stevemar	ty	20:34
ayoung	Unable to establish connection to http://federate.cloudlab.freeipa.org:5000/v3/auth/tokens	20:34
ayoung	wha	20:34
ayoung	hmmm	20:34
ayoung	that URL is legit	20:35
ayoung	lhcheng, OK, SAML token came through from Keystone <QueryDict: {u'token': [u'e24d04bd3847453cb8a632c5ede71084']}>	20:37
ayoung	print unscoped_auth	20:38
ayoung	<keystoneclient.auth.identity.v3.token.Token object at 0x7fc9f77cff50>	20:38
ayoung	(Pdb) unscoped_auth_ref = unscoped_auth.get_access(session)	20:39
ayoung	*** ConnectionRefused: Unable to establish connection to http://federate.cloudlab.freeipa.org:5000/v3/auth/tokens	20:39
lhcheng	ayoung, good find, DOA expects the token string to be submitted.	20:39
lhcheng	ayoung: keystone submit it back using: https://github.com/openstack/keystone/blob/master/etc/sso_callback_template.html#L10	20:39
lhcheng	ayoung: keystone reads it from the auth response here: https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L293	20:40
ayoung	So this is converting the unscoped token for a scoped one	20:41
lhcheng	ayoung: Yup, that what DOA does with the federated token.	20:41
ayoung	but looks like a connection error...which is strange because it is the same machine	20:42
*** c_soukup has joined #openstack-keystone		20:42
*** joesavak has joined #openstack-keystone		20:43
*** raildo has quit IRC		20:44
*** csoukup has quit IRC		20:45
*** jeffDeville has quit IRC		20:45
*** jeffDeville has joined #openstack-keystone		20:46
*** afazekas has quit IRC		20:47
ayoung	so the frist thing this is doing is reauthenticating. Probably not strictly wrong, but wasteful	20:47
lhcheng	ayoung: ah horizon and keystone run on the same apache	20:47
ayoung	yeah	20:48
lhcheng	ayoung: yeah, that's strange. It should be just fine	20:48
ayoung	devstack setup	20:48
ayoung	lhcheng, let me make sure login with userid and password works	20:49
lhcheng	ayoung, if you try the username/password login from horizon, does it work?	20:49
lhcheng	heh	20:49
*** jeffDeville has quit IRC		20:50
ayoung	no rouite to host	20:53
*** samueldmq_ has quit IRC		20:53
stevemar	samueldmq-away, lbragstad, morganfainberg we need a call made on this one: https://bugs.launchpad.net/keystone/+bug/1424500	20:54
openstack	Launchpad bug 1424500 in Keystone "Federation list projects endpoint does not honor project inherited role assignments" [Medium,Triaged] - Assigned to Samuel de Medeiros Queiroz (samueldmq)	20:54
ayoung	GAH	20:56
*** mfisch has quit IRC		20:56
ayoung	DHCP why have you changed my hosts IP!	20:56
*** mfisch has joined #openstack-keystone		20:57
*** mfisch is now known as Guest90957		20:57
ayoung	nkinder, We have re-entry. The Death Star Has Cleared THe Planet!	20:59
ayoung	lhcheng, thanks a bunch.	20:59
lhcheng	ayoung: it works now?	21:00
*** spandhe has quit IRC		21:00
-openstackstatus- NOTICE: Gerrit maintenance commences in 1 hour at 22:00 UTC http://lists.openstack.org/pipermail/openstack-dev/2015-March/059948.html		21:00
ayoung	lhcheng, yes it does	21:02
lhcheng	\o/	21:02
*** spandhe has joined #openstack-keystone		21:02
ayoung	lhcheng, how hard is the rework on top of Jamie's patch?	21:03
lhcheng	ayoung, it isn't that bad, just been distracted with some other work	21:07
lhcheng	ayoung, will try to get something up by weekend	21:07
ayoung	lhcheng, Where i sit, it is the weekend now	21:07
ayoung	lhcheng, thanks for doing this	21:07
lhcheng	rather before weekend ends :P	21:08
lhcheng	ayoung, by monday then	21:08
*** timcline has quit IRC		21:11
*** carlosmarin has quit IRC		21:14
*** gyee has joined #openstack-keystone		21:14
*** ChanServ sets mode: +v gyee		21:14
nkinder	ayoung: awesome!	21:15
ayoung	nkinder, the last bit was cuz DHCP decided I needed a new internal IP address	21:15
nkinder	ayoung: so rev.20 of the DOA patch, plus the horizon patch were needed	21:15
nkinder	ayoung: ...and you had to use the /auth/websso path on the trusted_dashboard setting	21:16
*** ericpete_ has quit IRC		21:16
ayoung	yes...well	21:16
ayoung	/auth/websso/	21:16
ayoung	the final slash was essential, got and error without it	21:16
nkinder	oh, that's slightly annoying	21:17
ayoung	had to set the auth stuff to v 3 for horizon	21:17
nkinder	I wonder if we should make keystone strip the slash of both sides before comparing	21:17
nkinder	failing due to a trailing slash seems overly picky	21:18
nkinder	ayoung: it was giving you the "not a trusted dashboard" error?	21:18
ayoung	yeah.	21:18
ayoung	but, its a config option, it insists on it matching...I think that is OK	21:19
nkinder	ayoung: that's worth a fix to avoid people running into it IMHO	21:19
lhcheng	nkinder: I think that should be even relax it further, just checking the hostname for trusted_dashboard.	21:19
nkinder	lhcheng: yeah, possibly	21:19
nkinder	lhcheng: I suppose it would be something where you could configure what origin the dashboard sends	21:20
nkinder	lhcheng: then it's up to the deployer how picky they want to be	21:20
nkinder	lhcheng: as long as it works for kilo, I'll be happy regardless of how picky it is :)	21:20
ayoung	nkinder, so biggest thing is getting the Horizon patch in	21:21
nkinder	ayoung: yes	21:21
ayoung	that is FFE.	21:21
nkinder	ayoung: it's been through a ton of revisions	21:22
nkinder	ayoung: the outstanding comments are simple to address	21:23
lhcheng	nkinder: yeah, we could look at that for liberty. Should be okay to relax later, without impacting the backward compatability.	21:23
ayoung	Patch in Merge Conflict	21:29
stevemar	nkinder, yeah lhcheng and i were talking about relaxing the check	21:33
stevemar	i'd be okay with merging a simple rstrip('/') in keystone :)	21:35
*** stevemar has quit IRC		21:42
*** spandhe has quit IRC		21:44
*** mattfarina has quit IRC		21:44
-openstackstatus- NOTICE: Gerrit is offline for maintenance, ETA 22:30 UTC http://lists.openstack.org/pipermail/openstack-dev/2015-March/059948.html		22:04
*** ChanServ changes topic to "Gerrit is offline for maintenance, ETA 22:30 UTC http://lists.openstack.org/pipermail/openstack-dev/2015-March/059948.html"		22:04
*** joesavak has quit IRC		22:08
*** dimsum__ has quit IRC		22:09
*** lhcheng has quit IRC		22:14
*** spandhe has joined #openstack-keystone		22:16
*** ayoung has quit IRC		22:19
*** c_soukup has quit IRC		22:19
*** dimsum__ has joined #openstack-keystone		22:20
morganfainberg	of course stevemar has disappeared	22:22
morganfainberg	:P	22:22
*** thedodd has quit IRC		22:27
dstanek	Friday night man. Places to go and eople to see.	22:27
*** spandhe has quit IRC		22:28
dstanek	...and i have to get back to my vim plugin	22:28
*** ChanServ changes topic to "High Priority Reviews: https://gist.github.com/dolph/651c6a1748f69637abd0 \| Review RC Blocking Reviews. \| RC Milestone: https://launchpad.net/keystone/+milestone/kilo-rc1"		22:33
*** lhcheng has joined #openstack-keystone		22:37
*** lhcheng_ has joined #openstack-keystone		22:39
*** markvoelker has quit IRC		22:40
*** lhcheng has quit IRC		22:42
*** gordc has quit IRC		22:43
*** spandhe has joined #openstack-keystone		22:44
*** gyee has quit IRC		22:58
*** pnavarro\|off has quit IRC		23:12
*** _cjones_ has quit IRC		23:21
*** timcline has joined #openstack-keystone		23:37
*** markvoelker has joined #openstack-keystone		23:41
lhcheng_	if I get a project scoped token using federated token, would the response have any indicator if the user account is federated or not?	23:42
lhcheng_	morganfainberg: ^	23:42
*** lhcheng_ is now known as lhcheng		23:42
morganfainberg	lhcheng, it should contain the federated info iirc	23:43
rodrigods	lhcheng, I believe there is a OS_FEDERATION	23:43
morganfainberg	and the list of federated groups	23:43
morganfainberg	rodrigods, ++	23:43
morganfainberg	it might be part of the user object	23:43
* morganfainberg would need to 2x check		23:43
rodrigods	I saw this yesterday, at least in the docs there is a OS_FEDERATION field in the user object	23:43
lhcheng	morganfainberg: interesting, trying to figure out if horizon can rely on the token response (accessInfo) to figure if the user is federated or not	23:45
lhcheng	morganfainberg: rather than horizon keeping that flag and pass around	23:46
lhcheng	rodrigods: the user object may not help that much, since the login federated user may not have access to get user info	23:46
*** markvoelker has quit IRC		23:46
lhcheng	rodrigods: but good to know though :)	23:46
rodrigods	lhcheng, the user object inside the token	23:46
lhcheng	rodrigods: oh	23:47
rodrigods	lhcheng, let me find here..	23:47
rodrigods	lhcheng, https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3-os-federation-ext.rst#request-a-scoped-os-federation-token	23:48
rodrigods	the response	23:48
*** iwi has quit IRC		23:48
lhcheng	ugh, too bad it isn't expose in the AccessInfo object	23:49
lhcheng	rodrigods: thanks! have to figure out something to get that info	23:50
*** dimsum__ has quit IRC		23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!