Thursday, 2015-05-07

*** ankita_w_ has quit IRC		00:07
morganfainberg	lhcheng: keystone will need to have compat code if the interface changes. The idea is we will be able to load a different version, but if the version is different, you need to support the old versions	00:14
morganfainberg	lhcheng: this is so we can change the interface.	00:16
lhcheng	morganfainberg: would that mean the manager class would have handle making the appropriate call to the interface depending on the driver interface version it see?	00:18
lhcheng	morganfainberg: or implement some adapter pattern that connects manager and driver	00:18
morganfainberg	Or a layer between the manager and driver.	00:18
lhcheng	morganfainberg: yeah, something like that	00:19
morganfainberg	That is part of what I want to design at the summit.	00:19
morganfainberg	And ayoung isn't here have a couple of replies for him. Bah.	00:20
lhcheng	morganfainberg: okay, let's wait for the summit then	00:25
lhcheng	are you working on StrictABC?	00:25
lhcheng	or is that something to be implemented? :)	00:25
morganfainberg	lhcheng: I have the first pass posted but I need to split it to it's own lib.	00:26
morganfainberg	Under Oslo	00:27
lhcheng	morganfainberg: cool, found your patch under keystone	00:30
lhcheng	will take a pass on it.	00:31
*** rm_work is now known as rm_work\|away		00:35
*** ankita_wagh has joined #openstack-keystone		00:43
*** _cjones_ has quit IRC		00:47
*** sigmavirus24 is now known as sigmavirus24_awa		00:56
samueldmq	morganfainberg, should we write a cross-project spec for having services fully working with v3 ?	01:06
samueldmq	morganfainberg, so people from other projects can understand better why we are creatig v3 only gate jobs, and all the bugs we open would refer to that bp/spec	01:07
samueldmq	jamielennox, cc ^	01:09
jamielennox	samueldmq: it can't hur t	01:09
jamielennox	but i haven't really had an issue convincing services to accept v3, most people know it's been around for a while	01:09
samueldmq	jamielennox, not to convince them or let them know it's necessary, but only to sync up goals	01:10
samueldmq	jamielennox, and have a common bp/spec for where we can point to	01:10
samueldmq	jamielennox, as we find bugs/fix them	01:10
samueldmq	jamielennox, btw see https://bugs.launchpad.net/tempest/+bug/1451987	01:11
openstack	Launchpad bug 1451987 in tempest "Tempest against openstack deployed with keystone v3 only, fails to initialize" [Undecided,Confirmed]	01:11
jamielennox	yea, i was thinking when i was doing the heat stuff i should just make one v3 auth bug and file all the project names against it as i find them	01:12
jamielennox	it makes sense as a bug, i don't know if it makes sense as an openstack spec because v3 has been approved a long time ago	01:12
samueldmq	jamielennox, not really a spec, just a bp then	01:12
samueldmq	jamielennox, something nice to have, but is not a bug (the behavior is not wrong, we just dont support yet)	01:13
samueldmq	makes sense?	01:13
jamielennox	sure, it's good to have something to tie all the reviews together	01:13
samueldmq	jamielennox, cool, so where so the bp live ?	01:14
samueldmq	should*	01:15
jamielennox	umm, it would have to be somewhere global, i don't know where the openstack-specs blueprints actually go	01:16
*** ayoung has joined #openstack-keystone		01:27
*** ChanServ sets mode: +v ayoung		01:27
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Refactor request methods onto request object https://review.openstack.org/180394	01:44
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Create a simple base class from AuthProtocol https://review.openstack.org/180816	01:44
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Make token bind work with a request https://review.openstack.org/180817	01:44
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Extract basic validation processing to base class https://review.openstack.org/180818	01:44
*** _cjones_ has joined #openstack-keystone		01:48
ayoung	richm, so packstack does not have a hell of a lot of Keystone options	01:52
ayoung	I ran packstack --gen-answer-file=rdo.answers.txt	01:52
ayoung	and looking at what it sets, there does not seem to be a way to change the ports for Keystone AUTH_URL. DOes the Puppet module lock us in like that, too? Is there any way to set https as the protocol?	01:53
*** zzzeek has quit IRC		01:53
richm	ayoung: what version?	01:57
ayoung	richm, I'm running right out of yum defaults at the moment	01:57
ayoung	test day instructions	01:57
ayoung	let me see....	01:57
ayoung	richm, openstack-packstack-2014.2-0.23.dev1468.gd049ea9.el7.noarch	01:58
richm	ok - so that's juno-ish	01:58
jamielennox	ayoung: i appreciate the auth_token reviews - however you started at the end of the queue :)	01:59
ayoung	jamielennox, I realized, and then I switched to the old view	01:59
ayoung	the new view does a lot of things right, but dropping the dependencies was not one of them	02:00
ayoung	jamielennox, I think I got them all. Nice and small patches like that are easy to review	02:01
ayoung	jamielennox, what needs to stay fixed on the auth info stuff? What can we not break?	02:01
jamielennox	ayoung: wow - i hadn't seen that	02:01
jamielennox	ayoung: htanks	02:01
richm	ayoung: you are correct - packstack has no option to configure keystone to listen to different ports	02:02
ayoung	richm, and to set https?	02:02
richm	ayoung: because why would anyone ever want to do that? :-(	02:02
ayoung	Heh	02:02
richm	ayoung: nope	02:02
*** stevemar has joined #openstack-keystone		02:04
*** ChanServ sets mode: +v stevemar		02:04
ayoung	jamielennox, does auth info have to remain a dictionary? We don't support other people adding values to it, right?	02:05
jamielennox	ayoung: it needs to remain a dict in keystoneclient, i moved it off that in keystoneauth	02:06
ayoung	jamielennox, does it need to be a dict, or just act like one?	02:06
ayoung	Heh....read that out loud. Funny	02:06
jamielennox	ayoung: i don't think it needs to be a dict	02:07
*** browne1 has quit IRC		02:07
ayoung	is keystoneauth live?	02:08
richm	ayoung: those options are there in puppet-keystone but packstack does not use them	02:08
ayoung	richm, port and https both?	02:08
jamielennox	ayoung: no, not yet	02:08
richm	ayoung: yes	02:09
ayoung	richm, cool. I wonder if I can hack pack stack atack mack what was I saying....	02:09
richm	ayoung: puppet-keystone class keystone has a list of 50 or 60 configuration parameters, among which are the public_port, admin_port, and enable_ssl	02:09
openstackgerrit	liusheng proposed openstack/keystone: Replace github reference by git.openstack.org and change a doc link https://review.openstack.org/180390	02:11
ayoung	jamielennox, are you actively working on keystoneauth right now?	02:12
jamielennox	ayoung: not right this second	02:12
ayoung	jamielennox, but that is your work in http://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth/auth/identity or is it morganfainberg 's?	02:12
jamielennox	oh - that's in openstack/ so it's all moved into gerrit etc	02:13
jamielennox	we've proposed and merged a bunch of fixes	02:13
jamielennox	mostly me propose, morganfainberg stamps it	02:13
ayoung	jamielennox, so my AccessInfo code goes in there>?	02:14
jamielennox	i think the intention was to have some pre releases around summit time, then a real version not long after	02:14
jamielennox	i need to make sure i can actually get ksc to work on top of ksa	02:14
ayoung	jamielennox, so, I think moving https://review.openstack.org/#/c/138519/ is right, but it still doesn't resolve our differences. How far apart are we?	02:15
jamielennox	i still don't think i want the model,	02:16
jamielennox	with https://review.openstack.org/#/c/180818/ i'd say we're a couple of reviews away from having auth_token consumed by client	02:16
jamielennox	consumer by server i mean	02:17
richm	ayoung: https://github.com/stackforge/puppet-keystone/blob/master/manifests/init.pp	02:17
richm	ayoung: packstack - https://github.com/stackforge/packstack/blob/master/packstack/puppet/templates/keystone.pp#L20	02:17
jamielennox	on of my end goals with this auth_token clean up is to figure out what i can use between keystone server and auth_token	02:18
jamielennox	that last review is moving towards a base class that AuthProtocol subclasses	02:18
ayoung	jamielennox, ok...let's get that far. I think model is the right way to go, but I'll let you run before we get there.	02:18
ayoung	richm, Ok so If I want to affect a change in https://github.com/stackforge/packstack/blob/master/packstack/puppet/templates/keystone.pp#L20 let me see	02:19
jamielennox	i think i can get it down to like one or two abstract functions for fetch_token() which keystone will have to implement different to auth_token middleware - because it uses the db and not a fetch or a cache	02:19
ayoung	richm, https://github.com/stackforge/packstack/blob/master/packstack/puppet/templates/keystone.pp#L7 I guess I need a param for that line	02:20
ayoung	jamielennox, well, not completely	02:20
ayoung	with tokenless we'll have to build one on the fly	02:20
jamielennox	ayoung: are you building a token on the fly or are you just not building one?	02:21
ayoung	jamielennox, we still need to run policy, so we need all the same values. I don;t need to call it a token, but I need all the AuthInfo	02:21
jamielennox	yea, ok -	02:22
jamielennox	at it's most basic there you could simply put a "FAKEVAL" in X-Auth-Token if it's not found and if you get a fetch for that id you build a token as you go	02:23
jamielennox	there are ways we can get around that	02:23
jamielennox	it just depends if we care about that token passing through normal validation after that	02:23
jamielennox	anyway, everything those reviews are proposing for now is private until I can have a chance to look at actually using it from the server	02:24
richm	ayoung: $keystone_url is only used to set up the public_url and internal_url endpoints	02:26
richm	ayoung: it does nothing for configuring keystone to listen to that protocol/port	02:26
ayoung	richm, so, if I were to leave it on 5000 and 35357, but wanted to set things for https, I need to set the SSLRequireSSL param in the virtual host section. Is that possible?	02:27
*** _cjones_ has quit IRC		02:27
ayoung	that is an HTTPD thing, right?	02:28
richm	ayoung: see https://github.com/stackforge/packstack/blob/master/packstack/puppet/templates/keystone.pp#L35	02:28
richm	yes, it's an httpd thing	02:28
*** lhcheng has quit IRC		02:29
ayoung	richm, line 1 forces that to false. Can that be set externally?	02:29
richm	ayoung: maybe you just need to have $keystone_use_ssl = true	02:29
richm	ayoung: no	02:29
*** lhcheng has joined #openstack-keystone		02:30
*** ChanServ sets mode: +v lhcheng		02:30
*** lhcheng has quit IRC		02:30
richm	ayoung: https://github.com/stackforge/puppet-keystone/blob/master/manifests/wsgi/apache.pp#L107	02:30
richm	lots of ssl related params there	02:30
ayoung	richm, do I need to do $keystone_use_ssl = hiera('CONFIG_KEYSTONE_USE_SSL'),	02:30
richm	none of which can be set via packstack	02:30
ayoung	richm, I think that might be a lost cause. I think to do port 5000, you need a virtual host, but to do 443 you can't use a virtual host	02:31
richm	ok - fyi there is no such packstack parameter CONFIG_KEYSTONE_USE_SSL	02:32
richm	unless you were proposing to add it	02:32
ayoung	richm, yep, I just invented that	02:32
ayoung	I probably need to run packstack on one VM and have it connect to another to actually run for development...and then script blowing away and restarting that other one	02:33
ayoung	if I do KEYSTONE_USE_SSL we also need to update the auth_url all of the other services get	02:34
ayoung	that is actually the painful part. it ends up in the service catalog in the database	02:34
*** davechen has joined #openstack-keystone		02:35
morganfainberg	ayoung: yes prerelease of ksa around summit.	02:35
* morganfainberg is just walking in after travel.		02:35
ayoung	morganfainberg, can you convince jamielennox that model is a good thing? I think besides that we can make things work	02:35
ayoung	morganfainberg, I'm going to let him go as far as he can with the exisint auth info, in the direction of getting the server to consume auth_token	02:36
richm	ayoung: yeah, it's pretty painful - there are a lot of places where 'http' and '5000' and '35357' and in some cases 'v2.0' are hard coded in packstack and openstack puppet modules	02:36
morganfainberg	ayoung: I think this is going to be a summit topic at this point.	02:36
ayoung	morganfainberg, figured	02:36
jamielennox	:)	02:37
richm	ayoung: I'm trying to tackle the 'v2.0' part now	02:37
morganfainberg	richm: my guess is that is partially inherited when someone looked at devstack to make them.	02:37
morganfainberg	Just a hunch.	02:37
richm	morganfainberg: no doubt a lot of cargo cult stuff	02:37
ayoung	richm, am I right about the virtual host thing?	02:37
morganfainberg	samueldmq: ping. Home now.	02:37
richm	ayoung: I'm not sure	02:37
richm	ayoung: never tried it	02:37
ayoung	richm, nah, I mean from what you know about apache	02:38
richm	ayoung: it probably won't work since there is another puppet virtual host resource setting up 443 e.g. horizon	02:38
ayoung	could we drop the virtual host for keystone and still have it on 5000 and 35357	02:38
ayoung	richm, so, yeah, it can't be in a virtual host, and it shouldn't be either	02:38
ayoung	I want keystone under /keystone	02:38
ayoung	https://hostname/keystone/admin and https://hostname/keystone/main	02:39
ayoung	richm, ok...dumb idea time	02:41
ayoung	what if we put Listen 5000 and Listen 35357 outside of the virtual host entries?	02:42
ayoung	then..make no distinction between admin and main	02:42
richm	ayoung: they already are	02:42
* ayoung goes to find a server to look		02:42
richm	ayoung: looks like puppet apache::mod::ssl doesn't support SSLRequireSSL	02:42
samueldmq	morganfainberg, hi, I was planning to creating a cross-project bp, so we could link all bugs we find/changes we need to it	02:42
richm	ayoung: /etc/httpd/conf/ports.conf	02:42
samueldmq	morganfainberg, I am talking about the v3 support	02:42
morganfainberg	Sure. Should be easy.	02:43
ayoung	richm, and no 443 in mine...ok	02:43
ayoung	richm, so <VirtualHost *:35357> must just match when a request comes in on that port	02:44
ayoung	morganfainberg, what is the plan for 5000 vs 35357 for v3? Just use 35357?	02:44
samueldmq	morganfainberg, however I don't think we have a project for cross-project bps, since blueprints are held in lp	02:45
ayoung	I thought we were trying to kill the two port thing	02:45
samueldmq	morganfainberg, I know we have cross-projects specs, but not sure this is the case	02:45
ayoung	richm, the v3 pipeline is identitcal for both ... I think	02:45
*** richm has quit IRC		02:45
ayoung	http://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone-paste.ini#n82	02:46
morganfainberg	ayoung: I think 5000 is the choice because 35357 and ephemeral port bs	02:46
morganfainberg	ayoung: but short term: v3 works on both.	02:46
ayoung	morganfainberg, but we are going down to one, right?	02:46
ayoung	and v3 is identical?	02:46
morganfainberg	ayoung: yes v3 should be identical.	02:47
ayoung	so..if we go for keystone without v2.0, we only need one port	02:47
morganfainberg	And I want to drop one of the ports for sure.	02:47
ayoung	morganfainberg, what if we ran only admin and v3.0 would everything work?	02:47
morganfainberg	Once v2 dies	02:47
ayoung	admin v2.0 and v3	02:47
morganfainberg	Dunno. Haven't tried that.	02:47
morganfainberg	Maybe.	02:47
ayoung	morganfainberg, what if I submit a patch for that and we see if it makes it through check on Zuul....	02:48
morganfainberg	ayoung: if we merge admin and main together it'd probably do what you want.	02:48
ayoung	drop the 'main ' pipeline and have the admin cover both....	02:48
morganfainberg	jamielennox: I think pecan is the right direction btw.	02:48
morganfainberg	ayoung: yes.	02:48
ayoung	morganfainberg, let me try that....	02:49
morganfainberg	ayoung: that would be the step I'd take.	02:49
morganfainberg	jamielennox: vs falcon. Based on a lot of internal emails and the thread you started.	02:49
*** r-daneel has quit IRC		02:49
*** zzzeek has joined #openstack-keystone		02:50
morganfainberg	jamielennox: and if pecan is lacking / silly we should work on fixing it. (Afaict the benchmarks are not really representative of a real system, so I'd go pecan since it is fairly well known)	02:50
morganfainberg	In falcon that is ^ hence pecan	02:51
morganfainberg	ayoung: I think we have a deprecation message for non-http keystone already.	02:51
*** dims_ has quit IRC		02:51
morganfainberg	ayoung: from the earlier statement you made.	02:51
ayoung	morganfainberg, I'm trying to get packstack and puppet in line with https everywhere right now	02:52
*** dims has joined #openstack-keystone		02:52
morganfainberg	Nod	02:52
jamielennox	morganfainberg: yea, that's fine. It's pretty much the answer i was expecting, dstanek was keen on the falcon POC and i think pecan is not great for APIs so i thought i'd see if it was even worth doing other pocs	02:53
morganfainberg	Right.	02:54
jamielennox	nothing can't be done with pecan	02:54
jamielennox	though people might have to toughen up and look at the review	02:54
*** ankita_wagh has quit IRC		02:56
samueldmq	morganfainberg, so ... since we don't have cross-project bp ... should we create a cross-project spec ? just a bug ?	02:59
jamielennox	this might actually be a job for storyboard - or that might be a rabbit hole	03:01
samueldmq	jamielennox, hmm .. A task tracking system for inter-related projects	03:03
samueldmq	it's said :)	03:03
jamielennox	i don't know however if those projects all need to be registered on storyboard	03:03
jamielennox	or what the state of gerrit integration there is etc	03:03
*** markvoelker has quit IRC		03:04
samueldmq	yeah, me too, I've never heard someone does use it =x	03:04
*** zzzeek has quit IRC		03:05
*** dims has quit IRC		03:11
openstackgerrit	David Stanek proposed openstack/python-keystoneclient: Removes temporary fix for doc generation https://review.openstack.org/121667	03:13
morganfainberg	samueldmq: bring it up in the x-project meeting.	03:22
samueldmq	morganfainberg, ack, will add a topic to it (https://wiki.openstack.org/wiki/Meetings/CrossProjectMeeting)	03:23
morganfainberg	samueldmq: make sure to read how topics are added to that meeting b	03:24
morganfainberg	You might need to talk to ttx	03:24
samueldmq	morganfainberg, great will do, thanks	03:25
samueldmq	morganfainberg, would be good to have that spec/bp whatever by the summit	03:25
samueldmq	imo	03:25
openstackgerrit	Priti Desai proposed openstack/keystone: Unable to list role assignments in Project https://review.openstack.org/180846	03:29
*** browne has joined #openstack-keystone		03:36
*** links has joined #openstack-keystone		03:45
openstackgerrit	ayoung proposed openstack/keystone: Make everything use admin for V2.0 https://review.openstack.org/180848	03:48
ayoung	morganfainberg, so ^^ fails a bunch of tests, but the results are kindof strange	03:48
ayoung	the only change I made was using the same pipeline for both admin and main. It was the smallest change I could make to test this	03:49
*** _cjones_ has joined #openstack-keystone		03:53
*** _cjones_ has quit IRC		03:57
*** emagana has quit IRC		04:03
*** markvoelker has joined #openstack-keystone		04:04
*** samueldmq has quit IRC		04:07
openstackgerrit	Priti Desai proposed openstack/keystone: Unable to list role assignments in Project https://review.openstack.org/180846	04:07
*** markvoelker has quit IRC		04:09
*** spandhe has quit IRC		04:14
*** ankita_wagh has joined #openstack-keystone		04:21
*** emagana has joined #openstack-keystone		04:41
*** emagana has quit IRC		04:46
*** kiran-r has joined #openstack-keystone		04:51
*** stevemar has quit IRC		05:03
*** markvoelker has joined #openstack-keystone		05:05
*** lhcheng has joined #openstack-keystone		05:06
*** ChanServ sets mode: +v lhcheng		05:06
*** henrynash has joined #openstack-keystone		05:08
*** ChanServ sets mode: +v henrynash		05:08
*** markvoelker has quit IRC		05:10
*** emagana has joined #openstack-keystone		05:35
*** ankita_wagh has quit IRC		05:37
*** emagana has quit IRC		05:40
*** _cjones_ has joined #openstack-keystone		05:42
*** _cjones_ has quit IRC		05:46
*** markvoelker has joined #openstack-keystone		05:51
*** markvoelker has quit IRC		05:56
*** davechen has quit IRC		06:00
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex https://review.openstack.org/179331	06:04
*** henrynash has quit IRC		06:10
*** mflobo has quit IRC		06:13
*** spandhe has joined #openstack-keystone		06:22
*** spandhe_ has joined #openstack-keystone		06:23
*** spandhe has quit IRC		06:27
*** spandhe_ is now known as spandhe		06:27
*** mflobo has joined #openstack-keystone		06:27
*** emagana has joined #openstack-keystone		06:37
*** ankita_wagh has joined #openstack-keystone		06:38
*** emagana has quit IRC		06:42
bigjools	marekd: testshib worked for me, thanks for the great tip. I now have a problem with keystone that I don't have when using Kerberos - it hangs for 2 minutes at the ACS callback and then goes to the Log In page again with an error about authenticating. I'm using the same mapping that worked for Kerberos so not sure what's up.	06:43
*** markvoelker has joined #openstack-keystone		06:52
*** markvoelker has quit IRC		06:56
*** rm_work\|away is now known as rm_work		07:07
*** ankita_wagh has quit IRC		07:24
*** pnavarro has joined #openstack-keystone		07:24
*** _cjones_ has joined #openstack-keystone		07:30
*** krykowski has joined #openstack-keystone		07:31
*** emagana has joined #openstack-keystone		07:32
*** _cjones_ has quit IRC		07:35
*** emagana has quit IRC		07:36
*** pnavarro has quit IRC		07:40
*** lhcheng has quit IRC		07:43
*** samueldmq has joined #openstack-keystone		07:51
*** samueldmq has quit IRC		07:54
*** jistr has joined #openstack-keystone		07:54
*** rlt_ has joined #openstack-keystone		08:10
*** fhubik has joined #openstack-keystone		08:18
*** davechen has joined #openstack-keystone		08:20
*** e0ne has joined #openstack-keystone		08:23
*** emagana has joined #openstack-keystone		08:26
*** henrynash has joined #openstack-keystone		08:27
*** ChanServ sets mode: +v henrynash		08:27
*** henrynash has quit IRC		08:30
*** emagana has quit IRC		08:31
*** henrynash has joined #openstack-keystone		08:41
*** ChanServ sets mode: +v henrynash		08:41
*** fhubik_afk has joined #openstack-keystone		08:49
*** fhubik_afk is now known as fhubik_meeting		08:49
*** fhubik has quit IRC		08:49
*** markvoelker has joined #openstack-keystone		08:53
*** markvoelker has quit IRC		08:58
*** e0ne is now known as e0ne_		09:03
openstackgerrit	David Charles Kennedy proposed openstack/keystone-specs: Updated endpoint enforcement spec https://review.openstack.org/174799	09:08
openstackgerrit	David Charles Kennedy proposed openstack/keystone-specs: Updated endpoint enforcement spec https://review.openstack.org/174799	09:12
*** pnavarro has joined #openstack-keystone		09:13
*** aix has joined #openstack-keystone		09:14
*** _cjones_ has joined #openstack-keystone		09:19
*** emagana has joined #openstack-keystone		09:20
*** _cjones_ has quit IRC		09:24
*** emagana has quit IRC		09:25
*** e0ne_ is now known as e0ne		09:33
*** dims has joined #openstack-keystone		09:36
*** spandhe has quit IRC		09:37
*** fhubik_meeting is now known as fhubik		09:38
*** fhubik has quit IRC		09:38
*** fhubik has joined #openstack-keystone		09:39
*** dims has quit IRC		09:41
*** fhubik is now known as fhubik_afk		09:53
*** markvoelker has joined #openstack-keystone		09:54
*** fhubik_afk is now known as fhubik		09:54
*** mabrams has joined #openstack-keystone		09:55
*** bdossant has joined #openstack-keystone		09:58
*** markvoelker has quit IRC		09:58
*** dims_ has joined #openstack-keystone		09:59
*** emagana has joined #openstack-keystone		10:14
*** emagana has quit IRC		10:18
*** henrynash_ has joined #openstack-keystone		10:19
*** ChanServ sets mode: +v henrynash_		10:19
*** henrynash has quit IRC		10:21
*** henrynash_ is now known as henrynash		10:21
*** fhubik is now known as fhubik_afk		10:35
*** fhubik_afk is now known as fhubik		10:54
*** markvoelker has joined #openstack-keystone		10:55
*** markvoelker has quit IRC		11:00
*** _cjones_ has joined #openstack-keystone		11:08
*** emagana has joined #openstack-keystone		11:08
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Sync from oslo incubator https://review.openstack.org/180945	11:10
*** emagana has quit IRC		11:13
*** _cjones_ has quit IRC		11:13
*** henrynash has quit IRC		11:23
*** e0ne is now known as e0ne_		11:27
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Add docstrings for ``protocol`` parameter https://review.openstack.org/177303	11:29
*** mabrams has left #openstack-keystone		11:30
*** links has quit IRC		11:31
*** links has joined #openstack-keystone		11:32
*** fhubik is now known as fhubik_afk		11:50
*** e0ne_ is now known as e0ne		11:51
*** jaosorior has joined #openstack-keystone		11:52
*** openstackgerrit has quit IRC		11:52
*** openstackgerrit has joined #openstack-keystone		11:53
openstackgerrit	Merged openstack/python-keystoneclient: Adapter version is a tuple https://review.openstack.org/178866	11:54
*** markvoelker has joined #openstack-keystone		11:56
openstackgerrit	Jamie Lennox proposed openstack/keystoneauth: Remove unused plugins from entrypoints https://review.openstack.org/180960	11:59
*** kiran-r has quit IRC		12:00
*** markvoelker has quit IRC		12:00
*** hogepodge has quit IRC		12:02
*** emagana has joined #openstack-keystone		12:02
*** hogepodge has joined #openstack-keystone		12:05
*** raildo has joined #openstack-keystone		12:05
*** emagana has quit IRC		12:07
*** raildo has quit IRC		12:10
*** raildo has joined #openstack-keystone		12:10
*** henrynash has joined #openstack-keystone		12:10
*** ChanServ sets mode: +v henrynash		12:10
*** henrynash has quit IRC		12:10
*** waterkinfe has joined #openstack-keystone		12:13
*** markvoelker has joined #openstack-keystone		12:15
*** waterkinfe has quit IRC		12:15
*** dikonoor has joined #openstack-keystone		12:18
*** fhubik_afk is now known as fhubik		12:18
*** winggundamth has joined #openstack-keystone		12:28
winggundamth	hi. I got error on swift that used keystonemiddleware as authentication that's said about keystoneclient here http://paste.openstack.org/show/216014/	12:30
winggundamth	just wonder is it related to keystoneclient bug about problem on self-signed https?	12:31
winggundamth	see the line that is raise exceptions.SSLError(msg)#012SSLError: SSL exception connecting to https://admin-identity.example.com: [Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed	12:36
*** doug-fish has joined #openstack-keystone		12:43
doug-fish	hi keystone friends. I'm trying to update some of my sample code for working with k2k auth and I am having trouble.	12:45
doug-fish	code is here: https://review.openstack.org/#/c/160851/	12:45
doug-fish	executive summary: when I try to use the k2k auth plugin I keep getting "replay detected of message ID" errors in shib	12:45
doug-fish	rodrigods: have you seen this when using the k2 auth plugin?	12:45
rodrigods	doug-fish, I should mark that patch as WIP, since the design is far from being chosen	12:49
rodrigods	:(	12:49
rodrigods	haven't properly tested it	12:49
doug-fish	sure - understood	12:50
doug-fish	I can see there is discussion in the code review	12:50
doug-fish	when you say "properly" does that mean "at all"? I'd like to just get a simple case to work	12:50
doug-fish	which used to in earlier versions of the code. I can't figure out what might be wrong.	12:50
*** dims_ has quit IRC		12:51
rodrigods	doug-fish, that code is a modification of something I had here... that code exactly I didn't test	12:51
rodrigods	yet	12:51
*** dims has joined #openstack-keystone		12:51
doug-fish	ok sure - it's a priority for me at this moment so I guess I'll dig in and see if I can sort out what's happening.	12:52
doug-fish	If I find what looks like a fix I may invoke my "co-author" rights. :-)	12:52
rodrigods	doug-fish, ok, good... I'm also doing k2k tests here	12:53
doug-fish	rodrigods: and of course, if you get a chance to test and sort out how it's working for you I'd love to hear your result	12:53
doug-fish	great	12:53
*** emagana has joined #openstack-keystone		12:57
*** _cjones_ has joined #openstack-keystone		12:57
*** emagana has quit IRC		13:01
*** _cjones_ has quit IRC		13:02
*** ctina__ has joined #openstack-keystone		13:02
doug-fish	rodrigods: I have an idea what's wrong - I've commented in https://review.openstack.org/#/c/172155/ do you mind sanity checking?	13:02
rodrigods	doug-fish, 1 sec	13:04
*** vhoward has joined #openstack-keystone		13:04
*** Ephur has joined #openstack-keystone		13:05
rodrigods	doug-fish, is the SP reusing the sessions?	13:05
rodrigods	if it is the case, it is not sending a 302	13:05
rodrigods	that block is necessary in order to retrieve the token	13:05
doug-fish	rodrigods: I can say that it is returning a 302 on the first call - I set a breakpoint in that block to confirm. I'll keep looking if you think that's not on the right track.	13:07
rodrigods	doug-fish, after the 302, we need to access the sp auth_url	13:08
* doug-fish thinking		13:08
rodrigods	something like /v3/OS-FEDERATION/identity_providers/{idp}/protocols/saml2/auth	13:09
*** fhubik has quit IRC		13:11
doug-fish	yes, I see what you are saying	13:11
doug-fish	rodrigods: you're right. I'll keeping digging.	13:12
*** kiran-r has joined #openstack-keystone		13:12
mflobo	question about endpoint filtering in keystone	13:12
mflobo	Is anyone interested in endpoint group filtering implementation?	13:13
*** nkinder has quit IRC		13:14
*** fhubik has joined #openstack-keystone		13:14
*** david-lyle has quit IRC		13:19
breton	folks, can I use v3.Token of ksc to authenticate using admin_token?	13:21
doug-fish	rodrigods: okay, here's theory 2 on the "replay detected of message ID" issue I'm seeing with k2k: each call to _get_unscoped_token is causing a new POST with the same ECP. Maybe the token should be stored and just returned?	13:21
rodrigods	doug-fish, makes sense, that was what I meant by "the SP is reusing the session"	13:22
rodrigods	doug-fish, does it work for the first request ever?	13:22
doug-fish	ah ok - I don't speak python-keystoneclient very well yet :-)	13:23
doug-fish	rodrigods: yeah - it looks like the first POST/GET works	13:23
doug-fish	but then then there is another call to get a token which gets the 500 error	13:23
rodrigods	doug-fish, cool, so you found the issue!	13:24
doug-fish	hooray!	13:24
doug-fish	is there a known pattern to fix this? not sure if get_auth_ref should be updated to store the AccessInfoV3 object maybe?	13:24
*** openstackstatus has quit IRC		13:25
rodrigods	doug-fish, you can alter _get_unscoped_token to store the response and add a comment why you are doing this	13:25
*** openstackstatus has joined #openstack-keystone		13:26
*** ChanServ sets mode: +v openstackstatus		13:26
doug-fish	rodrigods: cool - will do!	13:26
doug-fish	thanks!	13:26
*** gordc has joined #openstack-keystone		13:27
*** bdossant has quit IRC		13:27
*** gokrokve has joined #openstack-keystone		13:33
*** richm has joined #openstack-keystone		13:34
*** e0ne is now known as e0ne_		13:34
*** e0ne_ is now known as e0ne		13:37
*** sigmavirus24_awa is now known as sigmavirus24		13:38
*** joesavak has joined #openstack-keystone		13:39
*** chlong has joined #openstack-keystone		13:39
*** zzzeek has joined #openstack-keystone		13:46
openstackgerrit	Marek Denis proposed openstack/keystone: Correctly handle direct mapping with keywords https://review.openstack.org/175980	13:47
*** gokrokve has quit IRC		13:49
*** r-daneel has joined #openstack-keystone		13:49
*** lmtaylor has joined #openstack-keystone		13:51
*** kiran-r has quit IRC		13:51
*** jamielennox is now known as jamielennox\|away		13:51
*** topol has joined #openstack-keystone		13:53
*** ChanServ sets mode: +v topol		13:53
*** gokrokve has joined #openstack-keystone		13:53
*** links has quit IRC		13:54
*** gokrokve has quit IRC		13:54
*** gokrokve has joined #openstack-keystone		13:55
*** SpamapS has quit IRC		13:58
*** fhubik has quit IRC		13:59
*** nkinder has joined #openstack-keystone		14:08
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: Honor domain operations in project table https://review.openstack.org/143763	14:19
openstackgerrit	Ioram Schechtman Sette proposed openstack/keystone: Instructions to install IETF ABFAB federation protocol on Keystone https://review.openstack.org/163878	14:27
*** mattfarina has joined #openstack-keystone		14:39
*** emagana has joined #openstack-keystone		14:41
morganfainberg	dstanek: that work session is cross track now with qa.	14:42
*** packet has joined #openstack-keystone		14:43
morganfainberg	doug-fish: the replay warning/error happens if you try and reuse the saml assertion in appropriately. When we were doing testing we ran into that with using a test assertion w/o restarting shib.	14:43
morganfainberg	doug-fish: it is a security thing.	14:43
openstackgerrit	Ioram Schechtman Sette proposed openstack/keystone: Instructions to install IETF ABFAB federation protocol on Keystone https://review.openstack.org/163878	14:45
*** _cjones_ has joined #openstack-keystone		14:45
*** david-lyle has joined #openstack-keystone		14:49
*** _cjones_ has quit IRC		14:50
*** fhubik has joined #openstack-keystone		14:52
* breton doesn't understand ksc sessions		14:53
*** jsavak has joined #openstack-keystone		14:53
*** fhubik has quit IRC		14:53
*** fhubik has joined #openstack-keystone		14:54
*** joesavak has quit IRC		14:55
*** joesavak has joined #openstack-keystone		14:56
*** jsavak has quit IRC		14:58
breton	http://paste.openstack.org/show/216224/ why do I get the exception?	15:02
*** fhubik_afk has joined #openstack-keystone		15:03
*** fhubik has quit IRC		15:04
*** topol has quit IRC		15:06
*** rlt_ has quit IRC		15:11
*** Bjoern__ has joined #openstack-keystone		15:30
*** browne has quit IRC		15:31
*** samueldmq has joined #openstack-keystone		15:35
samueldmq	ayoung, hi - I was discussing with ericksonsantos a simple but powerful bd model to store the policies	15:37
samueldmq	ayoung, it would make simple to both i) generate the policy ii) retrieve APIs a token is able to perform	15:37
*** krykowski has quit IRC		15:38
ayoung	samueldmq, work is already underway	15:40
*** rm_work is now known as rm_work\|away		15:40
ayoung	I can't type!	15:40
ayoung	ah	15:40
ayoung	samueldmq, Iorem has done a lot of work along these lines	15:40
ayoung	samueldmq, this policy file works with nova, glance, and cinder https://github.com/admiyo/openstack-core-policy/blob/master/common-policy.json	15:43
samueldmq	ayoung, ok I will sync with him	15:50
*** breton has quit IRC		15:50
samueldmq	ayoung, nice you put them together, and it just works	15:50
samueldmq	ayoung, so the service just ignore the api's it doesn't know about, right?	15:50
*** mattfarina has quit IRC		15:51
*** esp has left #openstack-keystone		15:52
openstackgerrit	Doug Fish proposed openstack/python-keystoneclient: Add Keystone2KeystoneAuthPlugin for K2K federation https://review.openstack.org/172155	15:59
*** davechen has left #openstack-keystone		16:00
*** _cjones_ has joined #openstack-keystone		16:01
*** pnavarro has quit IRC		16:02
ayoung	samueldmq, yes. So long as the API names do not conflict...there is no conflict	16:04
*** ankita_wagh has joined #openstack-keystone		16:04
ayoung	samueldmq, I'm going to try adding in neutron's next, but I need a different setup. I think this is a candidate for oslo-incubator	16:05
*** jsavak has joined #openstack-keystone		16:05
samueldmq	ayoung, hmm so the unifies policy will go to oslo-incubator before graduated to its own repo	16:06
samueldmq	is that right ?	16:06
ayoung	samueldmq, yes	16:06
ayoung	it gives us a way to make sure we have things right for each service. Trying to do work in parallel	16:07
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: Restrict inherited role assignments to subdomains https://review.openstack.org/164180	16:07
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: Remove domain table references https://review.openstack.org/165936	16:07
samueldmq	ayoung, cool .. I was wondering how we will migrate existing policies (in running deployments) to	16:08
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: Bye Bye Domain Table https://review.openstack.org/161854	16:08
*** joesavak has quit IRC		16:08
samueldmq	ayoung, if we just put them all together it's an easy task, but if we do other things (trying to make roles compatible across services, etc) it will be harder	16:08
*** e0ne is now known as e0ne_		16:08
ayoung	lbragstad, can you pull the trigger on https://review.openstack.org/#/c/157427/56 please? I don;t want it beating my record for most revisions for a patch review.	16:09
*** vhoward has left #openstack-keystone		16:09
*** vhoward has joined #openstack-keystone		16:10
ayoung	samueldmq, look through the git log in that repo, and you can see how I did it step by step	16:10
lbragstad	sure, I can take a look	16:10
ayoung	lbragstad, thanks. It is at the head of a long line of patches.	16:12
*** browne has joined #openstack-keystone		16:13
*** rm_work\|away is now known as rm_work		16:13
*** _cjones_ has quit IRC		16:14
*** winggundamth has quit IRC		16:15
*** breton has joined #openstack-keystone		16:16
*** e0ne_ is now known as e0ne		16:17
rodrigods	ayoung, reseller marathon review?	16:21
ayoung	rodrigods, I've looked at these all multiple times...we have too much inventory on the shelves	16:21
raildo	rodrigods, haha I like it!	16:22
*** gokrokve_ has joined #openstack-keystone		16:22
*** joesavak has joined #openstack-keystone		16:23
*** _cjones_ has joined #openstack-keystone		16:23
*** gokrokve_ has quit IRC		16:23
*** gokrokve_ has joined #openstack-keystone		16:24
*** dikonoor has quit IRC		16:24
samueldmq	ayoung, if we have confliting rules coming from different policy files	16:25
ayoung	samueldmq, we declofict	16:25
samueldmq	ayoung, and they are completely different, how we unify this ?	16:25
*** gokrokve has quit IRC		16:25
ayoung	I decide	16:25
ayoung	randomly. and finally	16:26
ayoung	whimsically, too	16:26
*** jsavak has quit IRC		16:26
ayoung	samueldmq, so, the api names have been deconflicted thus far	16:26
ayoung	the common rules need to be unified anyway	16:26
samueldmq	"xpto":"role:is_admin or role_whatever"	16:26
samueldmq	"xpto":""	16:26
ayoung	like the default rule, for example	16:26
samueldmq	^	16:26
ayoung	xpto?	16:27
samueldmq	ayoung, an arbitrary rule	16:27
ayoung	samueldmq, ... lets not get into that now. You know the general path...right now I'm just doing the easy groundwork	16:27
ayoung	I havne't seen any major painpoints yet. Need to figure out how to his neutron	16:28
ayoung	hit	16:28
samueldmq	ayoung, ok, I am just raising a flag that I am not convinced that unifying the policy is a task that we can easily automate	16:29
samueldmq	; )	16:29
*** alexsyip has joined #openstack-keystone		16:31
*** rm_work is now known as rm_work\|away		16:32
openstackgerrit	David Stanek proposed openstack/python-keystoneclient: Don't autodoc the test suite https://review.openstack.org/181064	16:33
*** emagana has quit IRC		16:35
*** Bjoern__ is now known as BjoernT		16:36
*** rushiagr_away is now known as rushiagr		16:40
*** emagana has joined #openstack-keystone		16:42
*** ankita_wagh has quit IRC		16:43
*** lhcheng has joined #openstack-keystone		16:43
*** ChanServ sets mode: +v lhcheng		16:43
*** _cjones_ has quit IRC		16:56
*** ankita_wagh has joined #openstack-keystone		17:00
*** samleon has joined #openstack-keystone		17:00
*** emagana has quit IRC		17:00
*** _cjones_ has joined #openstack-keystone		17:00
*** emagana has joined #openstack-keystone		17:01
*** joesavak has quit IRC		17:03
*** joesavak has joined #openstack-keystone		17:07
breton	https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/httpclient.py#L595 why don't we check auth_ref for domain scope?	17:09
*** e0ne has quit IRC		17:11
samueldmq	dstanek, fyi : there will be a #qa fishbowl session to revisit tempest scope	17:15
samueldmq	dstanek, regarding funtional and integration tests, see https://etherpad.openstack.org/p/liberty-qa-summit-topics	17:15
dstanek	samueldmq: yes, i plan on hanging out in some QA sessions	17:16
samueldmq	dstanek, ++ me too	17:17
*** jistr has quit IRC		17:17
lhcheng	I noticed tox is configured to ignore: H405 multi line docstring summary not separated with an empty line	17:17
lhcheng	is there a reason for that?	17:18
samueldmq	dstanek, btw #qa meeting is happening right now in the main meeting channel :)	17:18
dstanek	samueldmq: yep, i'n there lurking	17:18
samueldmq	:)	17:18
*** mattfarina has joined #openstack-keystone		17:20
*** topol has joined #openstack-keystone		17:35
*** ChanServ sets mode: +v topol		17:35
*** ctina__ has quit IRC		17:37
*** ctina___ has joined #openstack-keystone		17:37
*** emagana has quit IRC		17:40
*** emagana has joined #openstack-keystone		17:43
*** anteaya has quit IRC		17:45
*** emagana has quit IRC		17:48
*** jistr has joined #openstack-keystone		17:49
*** gokrokve has joined #openstack-keystone		17:53
*** arunkant_ has joined #openstack-keystone		17:56
*** gokrokve_ has quit IRC		17:57
richm	dtroyer: ping - can the openstackclient --insecure or --verify flag be passed as an environment variable e.g. OS_INSECURE=true ?	17:57
*** gokrokve has quit IRC		17:59
*** rushiagr is now known as rushiagr_away		18:00
*** gokrokve has joined #openstack-keystone		18:03
*** mattfarina has quit IRC		18:04
*** emagana has joined #openstack-keystone		18:05
*** ericksonsantos has quit IRC		18:05
*** tellesnobrega has quit IRC		18:05
*** raildo has quit IRC		18:06
*** samueldmq has quit IRC		18:06
*** htruta has quit IRC		18:06
*** e0ne has joined #openstack-keystone		18:07
*** _cjones_ has quit IRC		18:07
*** _cjones_ has joined #openstack-keystone		18:09
*** gokrokve has quit IRC		18:13
*** gokrokve has joined #openstack-keystone		18:14
*** ankita_w_ has joined #openstack-keystone		18:18
*** gokrokve has quit IRC		18:19
*** anteaya has joined #openstack-keystone		18:19
*** ctina___ has quit IRC		18:20
*** ankita_wagh has quit IRC		18:21
*** tellesnobrega has joined #openstack-keystone		18:21
*** htruta has joined #openstack-keystone		18:24
*** david-lyle_ has joined #openstack-keystone		18:25
*** david-lyle has quit IRC		18:25
*** david_lyle__ has joined #openstack-keystone		18:25
*** raildo has joined #openstack-keystone		18:26
*** david-lyle has joined #openstack-keystone		18:28
*** samleon has quit IRC		18:28
emagana	keystone core I fellow from Neutron core asking for some feedback on this one: https://review.openstack.org/180247	18:28
*** david-lyle_ has quit IRC		18:29
emagana	... arrgghhhh that went bad.. I mean to Keystone cores, a request from a fellow neutron core.. bla bla bla....	18:29
emagana	:-)	18:29
*** samleon has joined #openstack-keystone		18:29
*** ericksonfgds has joined #openstack-keystone		18:31
*** david_lyle__ has quit IRC		18:31
dtroyer	richm: no, those are probably the only ones that can't be passed in env vars	18:33
mtreinish	morganfainberg: just fyi for http://libertydesignsummit.sched.org/event/8f871516b7d1cf8bf342ada310d91180#.VUuvmPZH0-U there's overlap with a qa work session	18:33
mtreinish	I noticed you cross-tagged qa for it	18:33
dtroyer	they are recognized in clouds.yaml though	18:33
*** david-lyle has quit IRC		18:34
*** jsavak has joined #openstack-keystone		18:35
*** joesavak has quit IRC		18:39
*** joesavak has joined #openstack-keystone		18:39
morganfainberg	mtreinish: yep	18:39
morganfainberg	mtreinish: i know	18:39
morganfainberg	mtreinish: we'd have overlap in most cases.	18:39
morganfainberg	mtreinish: I figure we might wander over and occupy some of your session :P	18:40
morganfainberg	>.>	18:40
*** jsavak has quit IRC		18:41
*** tellesnobrega has quit IRC		18:41
*** jsavak has joined #openstack-keystone		18:41
*** raildo has quit IRC		18:41
*** ericksonfgds has quit IRC		18:42
*** htruta has quit IRC		18:42
*** joesavak has quit IRC		18:45
richm	dtroyer: ok - thanks	18:47
*** david-lyle has joined #openstack-keystone		18:47
*** jistr has quit IRC		18:51
dstanek	emagana: looks like that would be a good idea. i'll do a deeper review in a few	18:51
emagana	dstanek: Thanks! I do appreciate it	18:51
*** rm_work\|away is now known as rm_work		18:52
*** emagana has quit IRC		18:53
*** david-lyle_ has joined #openstack-keystone		18:53
*** emagana has joined #openstack-keystone		18:55
*** emagana has quit IRC		18:55
*** packet has quit IRC		18:56
*** david-lyle has quit IRC		18:56
*** david-lyle_ is now known as david-lyle		18:57
*** packet has joined #openstack-keystone		18:57
*** emagana has joined #openstack-keystone		18:59
*** samueldmq has joined #openstack-keystone		18:59
mtreinish	morganfainberg: heh, ok	18:59
*** joesavak has joined #openstack-keystone		19:02
*** jsavak has quit IRC		19:03
*** stevemar has joined #openstack-keystone		19:03
*** ChanServ sets mode: +v stevemar		19:03
*** ankita_w_ has quit IRC		19:05
*** ankita_wagh has joined #openstack-keystone		19:08
*** tellesnobrega has joined #openstack-keystone		19:20
*** _cjones_ has quit IRC		19:21
*** raildo has joined #openstack-keystone		19:27
*** Vitalii has joined #openstack-keystone		19:33
*** blewis` has quit IRC		19:40
*** david-lyle has quit IRC		19:43
Vitalii	Hi. I was wondering is there a way to specify different expiration time for tokens generated by keystone?	19:43
ayoung	Vitalii, different how:?	19:46
stevemar	Vitalii, the config file should have a token expiration time option	19:46
*** blewis has joined #openstack-keystone		19:47
*** blewis` has joined #openstack-keystone		19:49
Vitalii	I mean different on domain/project level	19:50
*** gokrokve has joined #openstack-keystone		19:51
*** blewis has quit IRC		19:51
Vitalii	let's say I would like to get tokens generated for project A to be valid for one hour, but ones for project B to be valid for one day	19:51
Vitalii	There is a possibility to specify domain-specific configuration. Could I put [token] specific configuration there?	19:55
*** gokrokve has quit IRC		19:55
*** csd has quit IRC		19:56
*** csd has joined #openstack-keystone		19:57
stevemar	Vitalii, nope, that won't work	19:58
stevemar	the functionality does not exist	19:59
Vitalii	stevemar, thanks	19:59
ayoung	Vitalii, that is a cool suggestion, why do you want it?	20:00
*** _cjones_ has joined #openstack-keystone		20:03
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: List projects filtering by is_domain flag https://review.openstack.org/158398	20:05
*** ankita_w_ has joined #openstack-keystone		20:06
*** ankita_wagh has quit IRC		20:07
*** bknudson has joined #openstack-keystone		20:09
*** ChanServ sets mode: +v bknudson		20:09
Vitalii	ayoung, we are developing a tool that would download/upload some data from openstack. We wanted some mechanism to retry a failed operation in case of failure without a necessity re-authenticate/authorize the user.	20:12
ayoung	Vitalii, would trusts work for you instead?	20:12
Vitalii	ayoung, I think it would work. Thanks for the hint!	20:14
ayoung	Vitalii, trusts were developed for just these kinds of use cases	20:15
ayoung	stevemar, since you went and wrote Oauth, I think you should be responsible for merging trusts and oauth	20:15
morganfainberg	dstanek, dolphm, stevemar, topol, ayoung, nkinder, bknudson, lhcheng, marekd, jamielennox\|away, https://review.openstack.org/#/c/181137/ <-- defcore designated sections information for Keystone	20:15
ayoung	decore hardcore!	20:15
stevemar	ayoung, nooooo	20:15
ayoung	stevemar, yesssssss	20:16
ayoung	stevemar, first we make consumers a domain....	20:16
morganfainberg	ayoung: then re rename domains to tenants and call projects domains then we renamed everything to realms, and convert our APIs to use ftp instead of HTTP	20:17
ayoung	morganfainberg, I just meant storage	20:18
ayoung	consumers are ephemeral users	20:18
ayoung	so put them in their own domain, and drop the oauth specific tables	20:18
morganfainberg	ayoung: and I'm just spouting nonsense :)	20:18
ayoung	morganfainberg, and I am not...the hands on the other foot!	20:18
morganfainberg	ayoung: where did you find a glove for that foot-hand?	20:19
morganfainberg	bknudson: fixed the v2/v3 typo	20:19
ayoung	morganfainberg, we can enforce policy on the domain field of the project, even if we get a V2 token, right?	20:19
*** pothole is now known as ptoohill		20:19
samueldmq	morganfainberg, what is that defcore change ? I mean, what is that used for ?	20:20
morganfainberg	samueldmq: what APIs are required when deploying OpenStack to get certified	20:20
*** _cjones_ has quit IRC		20:21
samueldmq	morganfainberg, certified for what ? who certifies ? any docs on this ? (sorry if I am asking basic things ) ;)	20:21
ayoung	morganfainberg, defcore change fails pep8. Lines too long. Can't read, even in unified.. gah	20:22
ayoung	why does it only use half the page in diff....	20:22
morganfainberg	samueldmq: foundation is certifying	20:22
morganfainberg	samueldmq: it's an interoperable certification	20:22
samueldmq	morganfainberg, hmm, nice	20:24
ayoung	evey single policy rule in keystone has is_admin:1 in it ... maybe we should just put that override outside the policy enforcement	20:24
ayoung	samueldmq, check me on this...	20:25
ayoung	http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/controller.py#n169 and	20:25
*** _cjones_ has joined #openstack-keystone		20:25
*** _cjones_ has quit IRC		20:25
ayoung	http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/controller.py#n103	20:25
*** drjones has joined #openstack-keystone		20:25
ayoung	we don't need is_admin in the policy check for keystone, becuase if is_admin, skip policy check...right?	20:26
*** gokrokve has joined #openstack-keystone		20:26
dolphm	for arbitrary values of "is_admin"	20:27
*** gokrokve has quit IRC		20:28
*** gokrokve has joined #openstack-keystone		20:28
dolphm	oh, that's not from policy	20:28
dolphm	that's the admin token middleware	20:28
stevemar	dolphm, i also had to look that up	20:29
samueldmq	ayoung, if is_admin means no retriction ... yes we can skip, although it should always be configured via policy	20:30
ayoung	samueldmq, nah, it means SERVICE_TOKEN	20:30
samueldmq	ayoung, but in that case, I think is_admin always mean no restriction	20:30
*** emagana has quit IRC		20:31
samueldmq	ayoung, ah k makes sense, so services can do whatever the need, makes sense then	20:31
ayoung	is_admin:1 is set somehwere in the wsgi code above here...I can find in a sec	20:31
*** emagana has joined #openstack-keystone		20:32
*** toddnni has quit IRC		20:33
samueldmq	morganfainberg, I submitted a couple of nit comments on your defcore patch	20:34
samueldmq	morganfainberg, they're in patchset 2, since you just submitted a new patchset :/	20:35
*** zzzeek has quit IRC		20:35
morganfainberg	the backends cover all backends	20:35
morganfainberg	and we have memcache	20:35
*** ericksonfgds has joined #openstack-keystone		20:35
morganfainberg	for token	20:35
*** zzzeek has joined #openstack-keystone		20:35
*** BjoernT has quit IRC		20:37
*** stevemar has quit IRC		20:42
*** toddnni has joined #openstack-keystone		20:43
*** pnavarro has joined #openstack-keystone		20:44
*** e0ne has quit IRC		20:51
*** Vitalii has left #openstack-keystone		20:52
*** browne has quit IRC		20:58
*** ankita_wagh has joined #openstack-keystone		21:02
*** ankita_w_ has quit IRC		21:06
marekd	morganfainberg: thanks (re:defcore review)	21:06
*** topol has quit IRC		21:08
*** EmilienM is now known as EmilienM\|afk		21:16
openstackgerrit	Merged openstack/keystoneauth: Remove unused plugins from entrypoints https://review.openstack.org/180960	21:18
*** pnavarro has quit IRC		21:18
*** lmtaylor has left #openstack-keystone		21:18
*** packet has quit IRC		21:23
openstackgerrit	Merged openstack/pycadf: drop audit middleware https://review.openstack.org/176969	21:26
*** ankita_w_ has joined #openstack-keystone		21:36
*** ankita_wagh has quit IRC		21:39
bigjools	folks, I have things set up for federation with SAML and when the IdP redirects back to keystone, it hangs for 2 minutes before saying it couldn't auth. Can anyone give pointers please?	21:51
ayoung	bigjools, look at the access log on the keystoen server, make sure the redirect gets there	21:54
ayoung	bigjools, then turn on debug in the keystone log	21:54
ayoung	bigjools, question is where is it hanging. Using something like SAML Tracer for the browser is useful, too	21:55
ayoung	bigjools, you can also look in the token backend database to see if the token got allocated.	21:55
bigjools	ayoung: the callback all looks good from SAML, I see keystone debug processing the user	21:56
bigjools	let me check the token	21:56
ayoung	bigjools, what needs to happen is the Keystone server creates a page to post the token back to horizon. DO you see that post happening? You can tell from the Horizon logs	21:56
*** ankita_wagh has joined #openstack-keystone		21:56
*** david-lyle has joined #openstack-keystone		21:56
ayoung	bigjools, my guess is that the post is what is hanging.	21:56
bigjools	yeah exactly	21:56
bigjools	then it redirects back to login page	21:57
ayoung	bigjools, how did you install Horiozn?	21:57
bigjools	devstack	21:57
bigjools	just trying to get a demo set up	21:57
ayoung	bigjools, so it is the post that is failing? Is it going to the right url?	21:58
bigjools	it goes to the websso url	21:58
bigjools	then hangs	21:58
ayoung	bigjools, my set up is a little different, in the I started with packstack. I needed a WEBROOT value set in the local settings	21:58
ayoung	I don;t think devstack needs that	21:58
bigjools	I have it working with Kerberos with the same setup	21:58
bigjools	switching to SAML gives this problem	21:58
*** ankita_w_ has quit IRC		21:59
ayoung	WEBROOT = '/dashboard/'	21:59
*** chlong has quit IRC		21:59
bigjools	I'm kinda new to Openstack so not sure what everything is yet	21:59
ayoung	bigjools, Kerberos is a different system, right? You are not trying to mix the two on one are you?	21:59
bigjools	I have separate providers for them	22:00
ayoung	and they are on separate servers, right.	22:00
bigjools	the IdP? yes	22:00
ayoung	no, I mean the Horizon set with Kerberos is a different server than you are trying to get SAML working on	22:00
ayoung	it sounds like a dumb question, but I need to ask...	22:01
bigjools	no, it's all the same	22:01
*** gokrokve has quit IRC		22:01
*** gokrokve has joined #openstack-keystone		22:01
bigjools	I just set up WEBSSO_CHOICES with the extra stuff	22:01
ayoung	bigjools, Kerberos using S4U2Proxy?	22:01
bigjools	don't know what that is so I guess not :)	22:01
ayoung	bigjools, what do you mean by "I have it working with Kerberos with the same setup" then?	22:02
bigjools	I have Apache with the appropriate modules sat in front of it	22:02
bigjools	so you get the redirect through the difference URLs for auth	22:03
bigjools	different*	22:03
ayoung	bigjools, is Kerberos protecting Horizon, or just your IdP?	22:03
bigjools	both	22:03
ayoung	GAh	22:03
ayoung	why?	22:03
bigjools	well - both horizon and keystone I mean	22:03
ayoung	you should not have kerberos in front of Horizon. I suspect that is why things are hangin	22:04
bigjools	I am following the directions on docs.openstack.org	22:04
ayoung	they lie	22:04
bigjools	heh	22:04
ayoung	you are mixing apples and kangaroos	22:04
bigjools	I found a few bad things	22:04
ayoung	those were my fault	22:04
bigjools	your blog did get me going with Kerberos though :)	22:05
ayoung	don't even know what you found, but yopui can probably blame me	22:05
ayoung	uh uh	22:05
ayoung	swell?	22:05
bigjools	got me going - I'm using Ubuntu so lots of different stuff	22:05
ayoung	OK...so...for Kerberos, I would	22:05
bigjools	I blogged my own setup	22:05
ayoung	you are not going to make this easy for me, are you?	22:05
ayoung	link?	22:06
bigjools	I have two Location blocks in Apache's vhost for the websso part and the keystone part	22:06
bigjools	https://bigjools.wordpress.com/2015/04/27/federated-openstack-logins-using-kerberos/	22:06
ayoung	OK...so you don't want to mix kerberos and SAML. You want to do them side by side, but not the same URL	22:06
ayoung	I think the SSSD approach will work on latest Ubuntus...that is probably what you want for local kerberos	22:06
*** gokrokve has quit IRC		22:07
*** emagana has quit IRC		22:07
ayoung	and for SAML you put it parallel under OS-FEDERATION	22:07
bigjools	when you say same URL, I'm not sure what you mean	22:07
*** gokrokve has joined #openstack-keystone		22:07
ayoung	http://adam.younglogic.com/2015/04/horizon-websso-sssd/	22:07
ayoung	bigjools, OK, so under keystone, it is....(one sec)	22:08
bigjools	there's no sssd on ubuntu I think	22:08
bigjools	at least not on 12.04 which is what I need to use	22:08
ayoung	curl --negotiate -u: $HOSTNAME:5000/v3/OS-FEDERATION/identity_providers/sssd/protocols/kerberos/auth	22:08
ayoung	bigjools, pretty sure there is	22:08
ayoung	we've been making sure it is out for a while...	22:09
bigjools	I've got this	22:09
bigjools	<Location "/v3/OS-FEDERATION/identity_providers/saml/protocols/saml2/auth">	22:09
bigjools	my idp is just called saml	22:09
ayoung	right so you don't want kerberos protecting that	22:09
ayoung	only SAML	22:09
bigjools	and this: <Location ~ "/v3/auth/OS-FEDERATION/websso/saml2">	22:09
ayoung	looks right	22:09
bigjools	it isn't protecting that	22:09
bigjools	I have this too: <Location ~ "kerberos" >	22:10
bigjools	so shouldn't clash	22:10
ayoung	so Kerberos is on something like htosname:4443/kerberos/v3/auth ?	22:10
ayoung	toastname	22:10
bigjools	I presume so	22:11
ayoung	oy vey es mir	22:11
bigjools	at least I can see the two separate URLs working OK when I use it	22:11
bigjools	actually, not sure what you mean	22:11
ayoung	I think you are OK at that level...let's ignore SSSD for now	22:12
ayoung	bigjools, figure out the SAML part of it. Are you using shibboleth or mellon for the apache module?	22:12
bigjools	shib	22:12
ayoung	nkinder, ^^ this is interesting, you might like to lurk	22:12
bigjools	I am using testshib	22:12
bigjools	for the idp	22:12
ayoung	bigjools, ok, I've not tried shib yet...but it should work, I think	22:13
bigjools	I was advised to use it by marekd	22:13
bigjools	he said it worked for him :)	22:13
ayoung	bigjools, if nothing else it gets me out of the hot seat....	22:13
bigjools	the last thing I see in keystone's log is:	22:13
bigjools	DEBUG keystone.contrib.federation.utils [-] mapped_properties: .....	22:13
ayoung	bigjools, OK, so you can verify that it is the post of the token to Horizon that is failing?	22:13
bigjools	yes	22:14
bigjools	let me fire it up again, I just had to reboot a machine	22:14
ayoung	bigjools, ok...so we are beyond SAML at this point. DO you see the post coming in the apache access log?	22:14
bigjools	the last thing is a GET	22:15
*** browne has joined #openstack-keystone		22:15
bigjools	GET /v3/auth/OS-FEDERATION/websso/saml2?origin=...	22:16
bigjools	with the user set	22:16
ayoung	that is the keystone side of things...is the horizon log separate? I don't have a devstacked one handy	22:17
*** nkinder has quit IRC		22:18
bigjools	yeah separate	22:18
bigjools	POST /auth/login/ is the last thing	22:19
bigjools	oh damn I broke my firewall	22:19
ayoung	bigjools, ok, so need to see if the Horizon server receives that. Also, I've had luck with browser plugins for this kind of thing, and I recommend either firebug or SAML tracer	22:19
ayoung	ACHA!	22:19
bigjools	that's nothing to do with this problem :)	22:19
bigjools	it means I can't recreate anything until I get my ports forwarded again	22:20
bigjools	so I am tracing all this in chrome's developer console, it definitely POSTs	22:20
bigjools	although you got me wondering if my firewall is causing this all now	22:21
*** gokrokve has quit IRC		22:21
*** gordc has quit IRC		22:24
bigjools	ayoung: so I do see that POST to horizon, it just ignores it	22:33
bigjools	now if only I could remember what I did to get port forwarding working in my container	22:34
*** amerine has joined #openstack-keystone		22:35
*** Raildo_ has joined #openstack-keystone		22:36
ayoung	bigjools, ytou see the token getting posted to horizon, but horizon ignores it?	22:36
bigjools	ayoung: it does POST /auth/websso/	22:37
bigjools	then 2 minutes later a GET, when it times out	22:37
ayoung	bigjools, should that be /dashboard/auth/websso ? It is for me	22:37
bigjools	I don't have the dashboard prefix anywhere	22:37
*** joesavak has quit IRC		22:38
ayoung	bigjools, I wonder if you havean old version of Django openstack auth	22:38
bigjools	horizon seems to time out, that post returns 302	22:38
*** david-lyle has quit IRC		22:38
ayoung	it shouldn't hang, though	22:38
bigjools	back to the login page	22:39
bigjools	let me check the version	22:39
bigjools	it's on stable/kilo	22:39
bigjools	everything should be on stable/kilo	22:40
ayoung	bigjools, django openstack auth is installed via pip, not git in devstack. I wonder if the most recent code is in pip.	22:40
* bigjools checks		22:40
ayoung	bigjools, one thing you could try is doing a git checkout of doa, then a sudo python setup.py develop	22:41
bigjools	django-openstack-auth (1.3.0)	22:41
ayoung	that should be good	22:41
bigjools	I thought that was what stack.sh does	22:41
bigjools	ok let's do that	22:42
ayoung	bigjools, stack.sh does that for services, but not librarires. I don;'t think it does for DOA, but you can check...it would be in /opt/stack/django-openstack-auth	22:42
*** rm_work is now known as rm_work\|away		22:42
ayoung	1.3.0 is current	22:42
ayoung	it is missing the WEBROOT fix, but you should not need that	22:42
bigjools	ummm .... Processing dependencies for django-openstack-auth==1.2.0.post1	22:43
bigjools	git branch says stable/kilo	22:43
ayoung	bigjools, I'd make sure you have the right DOA.	22:44
lhcheng	bigjools: did you configure horizon against keystone v3 endpoint?	22:44
bigjools	yes	22:45
*** topol has joined #openstack-keystone		22:46
*** ChanServ sets mode: +v topol		22:46
bigjools	ayoung: do I need to move to 1.3.0 even though kilo is at 1.2.0?	22:47
ayoung	bigjools, ask in #openstack-horizon. david lyle would know	22:49
bigjools	ack, thanks	22:50
ayoung	bigjools, he's not around...but I suspect so	22:50
ayoung	let me look at what tag 1.2 is in git	22:50
ayoung	http://git.openstack.org/cgit/openstack/django_openstack_auth/log/	22:50
ayoung	I don't see anything major between 1.2.0 and 1.3.0 there	22:51
bigjools	me neither	22:51
ayoung	websso redirect test is a ways back, so websso should be there...ok, let's assume that the library is good	22:52
bigjools	given that this all works with kerberos for me, I would have been surprised if it was the wrong version	22:52
ayoung	bigjools, do you have websso enabled?	22:53
bigjools	yes	22:53
bigjools	not sure I'd get very far from Horizon otherwise :)	22:53
ayoung	bigjools, at this point, I'd probably bust out rpdb and put a breack point around here: http://git.openstack.org/cgit/openstack/django_openstack_auth/tree/openstack_auth/views.py?id=f5b2827a4de3375ff0c39dbe2884feb5cac0c740#n134	22:54
ayoung	pip install rpdb.	22:54
bigjools	good call	22:55
ayoung	then edit the file and import rpdb; rpdb.set_trace()	22:55
ayoung	trigger the hang, then	22:55
ayoung	telnet localhost 4444	22:55
ayoung	make sure you have telnet installed first. I hate when I forget that	22:55
bigjools	yeah it's not in my container	22:55
bigjools	I am not sure what I did yesterday to get ports forwarded into lxc but I can't get it working today, damn.	22:56
bigjools	this is blocking me, I might be a little while working this out, sorry :(	22:56
bigjools	thanks for the help so far though!	22:56
ayoung	bigjools, so, the last thing you saw on Keystone was the websso redirect back to horizon. Here is what should happen next	22:57
ayoung	you hit the code I linked above ,which calls into	22:57
ayoung	authenticate here http://git.openstack.org/cgit/openstack/django_openstack_auth/tree/openstack_auth/backend.py#n83	22:57
ayoung	it should see that it has a token, and use the approparet KC auth plugin, and try to list projects for the user	22:58
ayoung	it looks like it never starts making calls back to keystone, though.	22:58
bigjools	it's getting as least as far as this:	22:59
bigjools	DEBUG keystone.contrib.federation.utils [-] mapped_properties: {'group_ids': [u'2b684c680c8f48e590125c29c6e4c76e'], 'user': {u'domain': {'id': 'Federated'}, 'type': 'ephemeral', u'name': u'myself@testshib.org'}, 'group_names': []} process /opt/stack/keystone/keystone/contrib/federation/utils.py:476	22:59
ayoung	that is federation code, I think. But maybe that is trying to convert the federated token to a scoped token	22:59
bigjools	so I think it is calling keystone	22:59
ayoung	you said you saw a post to /v3/auth/tokens?	22:59
bigjools	yes	23:00
ayoung	but you don't see the call to list projects?	23:00
bigjools	then GET /v3/OS-FEDERATION/mappings	23:00
ayoung	ruh?	23:01
bigjools	then it goes to GET /v3/auth/OS-FEDERATION/websso/saml2?....	23:01
ayoung	that is all before. THat is getting the Federation unscoped token/	23:01
ayoung	not sure why mappings is called	23:01
bigjools	that ^^ GET is the last thing in the log	23:02
ayoung	yeah, that is the response going to Horizon. The next call is hanging in Horizon for some reason. I'd want rpdb there	23:03
ayoung	bigjools, I have to go be dad here for a while	23:03
bigjools	no worries	23:03
bigjools	same problems here :)	23:03
bigjools	thanks so far - I'll get my ports fixed and do that rpdb	23:03
ayoung	good luck	23:10
*** arunkant_ has quit IRC		23:18
*** chlong has joined #openstack-keystone		23:24
*** darrenc is now known as darrenc_afk		23:24
*** markvoelker has quit IRC		23:26
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/181205	23:31
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/179904	23:31
*** nkinder has joined #openstack-keystone		23:34
*** samueldmq has quit IRC		23:36
*** samueldmq has joined #openstack-keystone		23:36
openstackgerrit	OpenStack Proposal Bot proposed openstack/pycadf: Updated from global requirements https://review.openstack.org/178425	23:36
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/178426	23:37
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient-kerberos: Updated from global requirements https://review.openstack.org/181235	23:37
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient-saml2: Updated from global requirements https://review.openstack.org/161588	23:37
*** lhcheng has quit IRC		23:40
*** topol has quit IRC		23:43
*** darrenc_afk is now known as darrenc		23:47
*** dims_ has joined #openstack-keystone		23:50
*** dims has quit IRC		23:52
*** markvoelker has joined #openstack-keystone		23:56
*** ankita_wagh has quit IRC		23:57
*** markvoelker has quit IRC		23:57
*** markvoelker has joined #openstack-keystone		23:57
*** ankita_wagh has joined #openstack-keystone		23:57

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!