Friday, 2015-06-26

« Thursday, 2015-06-25 Index Saturday, 2015-06-27 »
bknudsonnice00:00
morganfainberghttps://www.consul.io/docs/agent/dns.html00:00
morganfainbergbknudson: so.. yes, does exactly what i'd want it to do00:00
morganfainberga SUB-url thing would potentially need to be an extra record00:01
morganfainbergi don't think SRV can support that00:01
morganfainbergbut JSON home could support/allow that type of discovery00:01
morganfainbergbknudson: so my thought is something like consul - keystonemiddleware registers with it so consul knows what services are "active", and instead of asking keystone itself for the catalog(s) or looking in the tokens, the service can pull straight from consul - keystone can then broker to external clients that are using the old interface/in-token interface00:03
bknudsonso the other thing we've got going on is people hope to get some kind of security by limiting the service catalog and enforcing that in middleware00:03
dstanekbknudson: yeah, i don't quite get that00:04
morganfainbergbknudson: keystone can still do that type of stuff - we'll need to figure out how to manage that00:04
morganfainbergbknudson: if it's a real ask00:04
morganfainbergbknudson: well RAX does that - if the endpoint isn't in the catalog for that user, they get rejected talking to another endpoint00:04
dstanekmorganfainberg: will they still do that with keystoe00:05
morganfainbergbknudson: it's the idea of not allowing CUSTOMER_X from talking to the BETA_ENDPOINTS but maybe an early-adopter customer is allowed to use beta00:05
bknudsonwhich one you works for RAX?00:05
morganfainbergbknudson: dstanek :P00:05
morganfainbergbknudson: but i spent a good deal of time talking their uses over with them.00:05
*** zzzeek has joined #openstack-keystone00:05
dstanekbknudson: unfortunately they don't use keystone :-P00:05
morganfainbergdstanek: they do want the same support in keystone though00:05
morganfainbergdstanek: last i heard.  and i've heard that ask from other orgs too00:06
morganfainbergdstanek: ctina's for example00:06
morganfainberg(oh she's not here at the moment)00:06
dstanekso i think rax has a separate service that sits in front of identity that does this type of filtering00:07
morganfainbergdstanek: repose00:07
morganfainbergdstanek: because i alwasy wanted to use java in my python IaaS services00:07
bknudsonhttps://github.com/rackerlabs/repose00:07
dstanekhaha, i know repose does the rate limiting and some other stuff - not sure about the catalog pieces00:08
morganfainbergdstanek: it also does token things00:08
morganfainbergdstanek: or os i'm told00:08
morganfainbergdstanek: basically instead of auth_token this thing00:08
bknudsonit's scala00:08
morganfainbergeven better00:09
dstanekdid you just call it crap?00:09
gyeelmao00:09
* morganfainberg sure didn't00:09
gyeego on00:09
morganfainberganyway00:09
* morganfainberg is thinking POC with consul to drive the catalog.00:10
gyeethat's ya ticket to Tokyo00:10
*** Rockyg has joined #openstack-keystone00:12
morganfainbergbknudson: i nominate gyee to make us an awesome flashy keystone webpage /me ducks00:12
gyeehah00:13
*** bknudson has left #openstack-keystone00:14
*** bknudson has joined #openstack-keystone00:14
*** ChanServ sets mode: +v bknudson00:14
*** markvoelker has joined #openstack-keystone00:24
*** zzzeek has quit IRC00:26
*** markvoelker has quit IRC00:30
*** pballand has quit IRC00:47
*** lhcheng has quit IRC00:48
*** woodster_ has quit IRC00:51
*** Rockyg has quit IRC00:52
*** liusheng has joined #openstack-keystone00:58
*** htruta has quit IRC00:59
*** tobe has joined #openstack-keystone01:05
*** david-ly_ has joined #openstack-keystone01:06
*** david-lyle has quit IRC01:09
*** spandhe has quit IRC01:16
*** ankita_wagh has quit IRC01:18
*** ncoghlan has joined #openstack-keystone01:20
*** csoukup has joined #openstack-keystone01:21
*** lhcheng has joined #openstack-keystone01:27
*** ChanServ sets mode: +v lhcheng01:27
*** fangzhou has quit IRC01:28
*** jasondotstar has joined #openstack-keystone01:33
*** dramakri has quit IRC01:34
*** davechen has joined #openstack-keystone01:40
*** boris-42 has quit IRC01:42
davechenhenrynash: hi,01:42
davechenhenrynash: I think I think updte the commit message for that patch (#195001)01:43
davechenhenrynash: Just say that patch will fix when there is no reqest body instead of body is empty, so it will be more clear.01:44
davechenfix the case*01:44
*** davechen1 has joined #openstack-keystone01:46
*** davechen has quit IRC01:49
*** ankita_wagh has joined #openstack-keystone01:50
*** davechen has joined #openstack-keystone01:52
*** davechen1 has quit IRC01:53
*** davechen1 has joined #openstack-keystone01:55
*** ankita_wagh has quit IRC01:55
*** ankita_wagh has joined #openstack-keystone01:56
*** davechen has quit IRC01:57
*** _cjones_ has quit IRC01:58
*** davechen1 is now known as davechen01:59
*** jasondotstar has quit IRC01:59
*** ROT26 has quit IRC02:04
*** crc32 has quit IRC02:04
*** wolsen has quit IRC02:05
*** wolsen has joined #openstack-keystone02:05
*** jasondotstar has joined #openstack-keystone02:10
*** spandhe has joined #openstack-keystone02:12
*** ROT26 has joined #openstack-keystone02:13
*** markvoelker has joined #openstack-keystone02:14
*** dims has joined #openstack-keystone02:14
*** dims_ has quit IRC02:15
openstackgerritDavanum Srinivas (dims) proposed openstack/oslo.policy: Add tox target to find missing requirements  https://review.openstack.org/19584202:16
*** markvoelker has quit IRC02:18
*** dims has quit IRC02:20
*** dims has joined #openstack-keystone02:22
openstackgerritDavanum Srinivas (dims) proposed openstack/oslo.policy: Add six and oslo.utils to requirements  https://review.openstack.org/19584602:23
*** jdennis has quit IRC02:27
*** d0ugal has quit IRC02:29
*** d0ugal has joined #openstack-keystone02:29
*** d0ugal is now known as Guest533502:30
*** csoukup has quit IRC02:33
*** nkinder has quit IRC02:37
*** r-daneel has quit IRC02:39
*** ankita_wagh has quit IRC02:39
*** jasondotstar has quit IRC02:42
*** jdennis has joined #openstack-keystone02:44
*** stevemar has joined #openstack-keystone02:51
*** gyee has quit IRC02:58
*** dims has quit IRC03:01
*** woodster_ has joined #openstack-keystone03:16
*** spandhe has quit IRC03:19
*** boris-42 has joined #openstack-keystone03:22
*** mestery has joined #openstack-keystone03:23
*** jdennis has quit IRC03:25
*** liusheng has quit IRC03:26
*** ROT26 has quit IRC03:28
*** sudorandom has quit IRC03:47
*** stevemar has quit IRC03:48
*** stevemar has joined #openstack-keystone03:48
*** stevemar has quit IRC03:51
*** david-ly_ is now known as david-lyle03:51
*** sudorandom has joined #openstack-keystone03:53
*** dramakri has joined #openstack-keystone04:02
*** markvoelker has joined #openstack-keystone04:02
*** vilobhmm has joined #openstack-keystone04:04
*** markvoelker has quit IRC04:07
*** liusheng has joined #openstack-keystone04:10
*** rushiagr_away is now known as rushiagr04:13
*** ankita_wagh has joined #openstack-keystone04:16
*** ncoghlan has quit IRC04:32
*** vilobhmm has quit IRC04:36
*** tobe has quit IRC04:40
*** stevemar has joined #openstack-keystone04:50
*** stevemar has quit IRC04:53
*** arunkant_ has joined #openstack-keystone04:54
*** pballand has joined #openstack-keystone04:57
*** arunkant__ has quit IRC04:58
*** arunkant has joined #openstack-keystone04:58
*** arunkant_ has quit IRC05:01
*** pballand has quit IRC05:01
*** rm_work|away is now known as rm_work05:01
*** pballand has joined #openstack-keystone05:02
*** dramakri has quit IRC05:02
*** ncoghlan has joined #openstack-keystone05:06
*** ncoghlan has quit IRC05:13
*** tobe has joined #openstack-keystone05:19
*** woodster_ has quit IRC05:21
*** toddnni has quit IRC05:28
*** ajayaa has joined #openstack-keystone05:31
openstackgerritSteve Martinelli proposed openstack/keystone: switch to oslo.cache  https://review.openstack.org/19587305:33
*** richm has quit IRC05:34
*** pballand has quit IRC05:35
ajayaaHi guys. Does the python-keystoneclient work with domain scoped tokens?05:36
*** toddnni has joined #openstack-keystone05:36
ajayaaWhen I pass a domain scoped token to the client I get EndpointNotFound exception.05:36
ajayaaAny idea?05:36
ajayaajamielennox|away ^^05:36
*** rushiagr is now known as rushiagr_away05:43
*** ankita_wagh has quit IRC05:44
davechenajayaa: why not try OSC?05:44
davechenI think Steve may also has the answer, but seems he is not online.05:45
ajayaadavechen, I am trying to use python sdk to write some tests.05:45
ajayaaOSC also uses python-keystoneclient, I think.05:45
davechenajayaa: yep, but OSC has the clear usage about the V3 APIs.05:46
davechenjust thought that domain should go to V305:47
ajayaaWhen you say OSC, are you talking about the cli?05:47
davechenyep.05:47
ajayaadavechen, I am writing some functional tests using python testtools and keystoneclient.v3 client.05:48
davechenyou are not lucky, cores is not available at this time. :)05:48
ajayaaSo cli won't be of any use to me.05:48
ajayaaUsually jamielennox would be here.05:48
ajayaaI will come back later05:48
davechensee you. good luck.05:49
ajayaadavechen, :)05:49
*** markvoelker has joined #openstack-keystone05:51
*** boris-42 has quit IRC05:52
*** links has joined #openstack-keystone05:55
*** markvoelker has quit IRC05:56
*** pnavarro has joined #openstack-keystone05:58
*** ankita_wagh has joined #openstack-keystone05:59
*** ajayaa has quit IRC06:04
*** tobe has quit IRC06:05
*** mestery has quit IRC06:08
*** rushiagr_away is now known as rushiagr06:15
*** ajayaa has joined #openstack-keystone06:21
*** boris-42 has joined #openstack-keystone06:26
*** ajayaa has quit IRC06:27
*** rm_work is now known as rm_work|away06:27
*** arunkant_ has joined #openstack-keystone06:33
*** Guest5335 is now known as d0ugal06:34
*** d0ugal has quit IRC06:34
*** d0ugal has joined #openstack-keystone06:34
*** browne has quit IRC06:37
*** arunkant has quit IRC06:37
*** arunkant__ has joined #openstack-keystone06:38
*** tobe has joined #openstack-keystone06:40
*** arunkant_ has quit IRC06:41
*** ajayaa has joined #openstack-keystone06:42
*** belmoreira has joined #openstack-keystone06:43
*** arunkant_ has joined #openstack-keystone06:48
*** arunkant__ has quit IRC06:51
*** lufix has joined #openstack-keystone06:58
*** spandhe has joined #openstack-keystone07:15
*** lsmola has joined #openstack-keystone07:21
*** liusheng has quit IRC07:26
*** liusheng has joined #openstack-keystone07:27
openstackgerritDave Chen proposed openstack/keystone: Show friendly message when request body is not provided  https://review.openstack.org/19590307:36
*** rushiagr is now known as rushiagr_away07:36
*** rlt_ has joined #openstack-keystone07:36
openstackgerritDave Chen proposed openstack/keystone: Show friendly message when request body is not provided  https://review.openstack.org/19500107:37
openstackgerritDave Chen proposed openstack/keystone: Show friendly message when request body is not provided  https://review.openstack.org/19590307:39
openstackgerritDave Chen proposed openstack/keystone: Show friendly message when request body is not provided  https://review.openstack.org/19542907:40
openstackgerritDave Chen proposed openstack/keystone: Show friendly message when request body is not provided  https://review.openstack.org/19542907:40
liushengdstanek: ping07:47
liushengdstanek: Hi, could you please take a look at https://review.openstack.org/186987 and the bug description ? thanks07:49
*** rm_work|away is now known as rm_work07:51
*** spandhe has quit IRC07:56
openstackgerrithenry-nash proposed openstack/keystone-specs: Enable listing of role assignments in a project hierarchy  https://review.openstack.org/18704508:07
*** rm_work is now known as rm_work|away08:07
tobascocan/should keystone admin api on port 5000 be exposed to internet?08:11
tobascoi.e should i allow users to manipulate users using the api or only through horizon08:12
*** rm_work|away is now known as rm_work08:12
*** dguerri` is now known as dguerri08:20
tobascokeystone tokens gets generated with a expires date of -1 hour what the current time is, date on all nodes (keystone, controller) says correct time08:28
*** lhcheng has quit IRC08:44
*** lsmola has quit IRC08:53
*** fhubik has joined #openstack-keystone08:56
*** fhubik is now known as fhubik_afk08:56
*** davechen has left #openstack-keystone08:57
*** ankita_wagh has quit IRC08:58
*** BAKfr has quit IRC09:01
*** tobe has quit IRC09:02
*** BAKfr has joined #openstack-keystone09:03
*** husanu1 has joined #openstack-keystone09:09
*** bradjones has quit IRC09:15
*** bradjones has joined #openstack-keystone09:16
*** bradjones has quit IRC09:16
*** bradjones has joined #openstack-keystone09:16
*** husanu1 has quit IRC09:18
*** fhubik_afk is now known as fhubik09:20
*** boris-42 has quit IRC09:22
*** husanu2 has joined #openstack-keystone09:23
*** husanu2 has quit IRC09:28
*** markvoelker has joined #openstack-keystone09:29
*** markvoelker has quit IRC09:33
*** BAKfr has quit IRC09:34
*** BAKfr has joined #openstack-keystone09:39
*** danboid has joined #openstack-keystone09:47
danboidAre there any scripts or tools to help inspect keystone logs?09:48
openstackgerritMarek Denis proposed openstack/keystone: OS-FEDERATION no longer extension in docs  https://review.openstack.org/19267109:49
danboidBy inspect I mean parse a keystone log and show you how many auths occured in a given time, sum the content lengths within that period and stuff like that09:52
dstanekdanboid: not that i have seen, but i'm sure operators have tooling to do that09:53
danboiddstanek: operators?09:53
dstanekdanboid: people running clouds09:53
*** stevemar has joined #openstack-keystone09:53
danboidOh, sys admins! :)09:54
danboidI wouldn't know what one of them is :)09:54
dstaneksorta - operators i think is used because it is a broader topic that just system administration09:54
*** stevemar has quit IRC09:57
*** dims has joined #openstack-keystone09:59
*** Kennan has joined #openstack-keystone09:59
Kennanhi bknudson: pr ayoung: there?10:00
KennanI have question about [keystone_authtoken]10:00
KennanI found many projects used that10:00
KennanBut right now, it seems some projects have10:00
Kennanusername and password10:01
Kennanother projects have10:01
Kennanadmin_username and admin_password10:01
Kennancould you two guys or other cores give explanation ?10:01
Kennanwhat's that for ?10:01
Kennanwhat's difference ?10:01
*** arunkant__ has joined #openstack-keystone10:03
hugokuols10:03
*** richm has joined #openstack-keystone10:04
*** arunkant_ has quit IRC10:07
*** e0ne has joined #openstack-keystone10:15
*** dims has quit IRC10:18
*** liusheng has quit IRC10:18
*** henrynash has quit IRC10:19
*** lufix has quit IRC10:27
dstanekKennan: who uses just username/password? i thought it have had to be admin_user/admin_password10:30
Kennanhi dstanek: did you try devstack these days?10:30
KennanI found many projects configure username and password10:31
dstanekKennan: sure10:31
dstanekwhich one?10:31
Kennanglance heat10:31
Kennanetc.10:31
Kennanalso check redhat install guide http://docs.openstack.org/kilo/install-guide/install/yum/content/glance-install.html10:31
Kennanit also username and password10:32
Kennannot have admin_username10:32
Kennanand admin_password10:32
Kennanfor ubuntu it is same10:32
dstanekodd...i don't see that used in the code anywhere; i would not expect that to work; maybe it's from an older version10:34
dstanekyeah, i don't even see that in the kilo version of keystoneclient.middleware.auth_token10:35
dstanekand our docs do say to use admin_user10:36
*** links has quit IRC10:36
Kennanstrange: dstanek I found devstack now used username and password in glance, heat etc.  Some still user admin_username and admin_password10:36
dstanekKennan: heat for me is using admin_user/admin_password10:37
Kennandstanek: check this configure_auth_token_middleware10:38
Kennanhttp://docs.openstack.org/developer/devstack/lib/keystone.html10:38
Kennaniniset $conf_file $section username $admin_user10:38
Kennaniniset $conf_file $section password $SERVICE_PASSWORD10:38
Kennanit did that10:38
Kennanmany project call configure_auth_token_middleware10:38
dstanekmaybe i'm running a very out of date version, but all of my configs are using admin_*10:39
dstanekif that's the case, then i have no idea10:40
dstanekfor me heat is doing this: iniset $HEAT_CONF keystone_authtoken admin_user heat10:42
Kennanyes, dstanek: so I feel strange about it, Maybe keystone guys know devstack configure like that. I looking help for that :)10:42
dstanekKennan: have you looked at your configs to see which ones have just username?10:43
Kennannvoa glance10:43
Kennanneutron10:44
Kennanalso cinder did like that10:44
dstaneki think maybe i have to rebuild because all of my configs are fine10:44
Kennanso I really think it cause conflict and strange for username and admin_username10:45
Kennanpassword and admin_password10:45
Kennanmay need more keystone guys input about that10:46
Kennanwhy need configrue that ways?10:46
dstanekthe majority won't be online for a few hours10:46
Kennanok dstanek:10:49
*** dims has joined #openstack-keystone10:59
*** e0ne is now known as e0ne_11:08
*** links has joined #openstack-keystone11:17
*** markvoelker has joined #openstack-keystone11:17
*** e0ne_ has quit IRC11:18
*** links has quit IRC11:19
*** markvoelker has quit IRC11:22
*** jdennis has joined #openstack-keystone11:23
openstackgerritDavanum Srinivas (dims) proposed openstack/oslo.policy: Add six and oslo.utils to requirements  https://review.openstack.org/19584611:30
openstackgerritDavanum Srinivas (dims) proposed openstack/oslo.policy: Add tox target to find missing requirements  https://review.openstack.org/19584211:30
*** ajayaa has quit IRC11:32
*** e0ne has joined #openstack-keystone11:39
*** aix has quit IRC11:41
*** bradjones has quit IRC11:42
*** bradjones has joined #openstack-keystone11:45
*** bradjones has quit IRC11:45
*** bradjones has joined #openstack-keystone11:45
dstanekmarekd: you around?11:46
dstanekrodrigods: how about you?11:48
*** ajayaa has joined #openstack-keystone11:51
*** markvoelker has joined #openstack-keystone12:00
marekddstanek: yes12:01
marekddstanek: what;s up?12:02
dstanekmarekd: do you have a few for some k2k questions?12:02
marekddstanek: sure12:02
dstaneksome guys at rax and trying to set it up and running into some issues i haven't seen before....jas12:02
marekddstanek: what are those issues?12:03
*** hughsaunders has joined #openstack-keystone12:03
dstaneki'm getting them in here12:03
marekddstanek: roger12:03
*** Ctina_ has joined #openstack-keystone12:04
*** odyssey4me has joined #openstack-keystone12:05
dstanekhughsaunders: what is the last issue you just ran into?12:05
hughsaundershey all, I'm trying to get a test environment setup for k2k federation. So far its at the point where I can request a SAML assertion from IDP keystone and post it to SP keystone. SP keystone rediercts and sets a cookie. However I can't use that cookie to request a token. At that stage I get "shib_check_user found no per-request structure"12:06
odyssey4medstanek so hughsaunders is trying to get k2k idp/sp right, whereas I'm trying to get a keystone sp with the www.testshib.org idp right12:06
hughsaundersThat sounds like it might be an issue with the mapping object I had to create on the SP keystone12:07
odyssey4meI am wondering whether anyone has a kilo reference set of configs we can work from, whether for k2k or for keystone to another idp?12:08
*** aix has joined #openstack-keystone12:08
*** dims is now known as dimsum__12:09
*** fhubik is now known as fhubik_afk12:09
*** dguerri is now known as dguerri`12:10
marekdhughsaunders: odyssey4me i can share you my mapping i sed for my testbed...12:10
marekdhughsaunders: i can also try to take a look at you mapping if it's not confidential and stuff.12:11
marekds/you/sour/12:11
hughsaundersmarekd: that would be useful, thanks12:11
hughsaundersmarekd: current mapping is on like 76 of this: https://etherpad.openstack.org/p/osad-keystone-idp-sp it was mostly taken from http://blog.rodrigods.com/it-is-time-to-play-with-keystone-to-keystone-federation-in-kilo/ just modified to add my test user12:12
*** dims_ has joined #openstack-keystone12:13
hughsaunders*line12:13
marekdhughsaunders: ugh, rodrigo made wrong mapping rules and ppl use them :(12:14
marekdlet me try with fixing it...12:14
odyssey4meo_O12:14
odyssey4mehughsaunders to clarify, are you using the master (liberty) branch for your deployment - or the head of stable/kilo?12:15
marekdah no, sorry i think yours look fine...12:15
openstackgerritDavanum Srinivas (dims) proposed openstack/oslo.policy: Add six and oslo.utils to requirements  https://review.openstack.org/19584612:15
*** dimsum__ has quit IRC12:16
odyssey4memarekd the blogs and docs are unfortunately a bit inconsistent - some appear to be stuck in the juno timeframe, while others are not - this makes our lives a little complicated :(12:17
hughsaundersodyssey4me: keystone_git_install_branch: 7f76f23bccd772df35da63584685584576289255 # HEAD of "master" as of 08.06.201512:17
marekdodyssey4me: rodrigods made two blog posts, one with juno (broken in fact) and the second with kilo version (works)12:18
marekdodyssey4me: ok, one question is group id (set to fedgroup.id) somehow a real group id?12:18
marekdor maybe it's replaced with uuid later on ?12:18
hughsaundersmarekd: do you know of docs for the federation parts of the keystone api? I couldn't find them in http://developer.openstack.org/api-ref-identity-v3.html or the v3 extensions page12:19
marekdodyssey4me: also, which problems are you actually running into? If I were you I'd first make sure keystone-sp works (with testshib for instance) and later proceed to keystone-idp (much simpler part tbh)12:20
marekdhughsaunders: http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-federation-ext.html maybe this?12:20
*** rmstar has joined #openstack-keystone12:20
*** packet has joined #openstack-keystone12:20
odyssey4memarekd so hughsaunders is trying to test k2k idp/sp, whereas I'm trying to test a keystone sp against testshib so that I hopefully get at least the sp right12:21
marekdodyssey4me: allright.12:21
marekdodyssey4me: so, what are you stuck with?12:21
odyssey4memarekd unfortunately my redirect seems to stick in keystone and the keystone service doesn't see to redirect the auth to the testshib idp for some reason12:21
hughsaundersmarekd: thanks, I guess the docs team will move that into docs when they have time.12:22
marekdodyssey4me: you are using browser, right?12:23
odyssey4memarekd so what information can I give you that will help dig into the solution? alternatively if you like I can give you access to my test server to try to identify where things are going wrong12:23
odyssey4memarekd yes, I am - and I've configured Horizon according to http://docs.openstack.org/developer/keystone/extensions/websso.html12:23
marekdodyssey4me: did you upload all metadata to testshib?12:25
odyssey4memarekd, yep - I did12:25
marekdodyssey4me: allright, if i can access your machine that would be cool.12:26
odyssey4meI've also confirmed that the idp metadata is being downloaded to the keystone server12:26
marekdi can try to debug it quickly.12:26
odyssey4methanks marekd - I really appreciate it... the shibboleth /shibd configuration has really being doing my head in12:27
marekdno worries.12:27
marekdi know it's a piece of shhhh12:27
hughsaundersibboleth...12:28
*** dguerri` is now known as dguerri12:28
*** aix has quit IRC12:28
*** fhubik_afk is now known as fhubik12:30
*** edmondsw has joined #openstack-keystone12:32
hughsaundersmarekd: with the mapping rules, can I specify a group in the IdP keystone and map all members of that group into a group on the SP keystone? At the moment I have individual users listed, but thats not ideal12:36
*** raildo has joined #openstack-keystone12:37
*** fhubik has quit IRC12:38
*** iurygregory has joined #openstack-keystone12:39
hughsaundershmm, actually that federation spec gives some more exmaples of mappings12:40
*** fhubik has joined #openstack-keystone12:41
*** htruta has joined #openstack-keystone12:44
*** tellesnobrega has joined #openstack-keystone12:45
marekdhughsaunders: sorry, was helping odyssey4me not...12:50
marekdso right now you can map only to a group12:50
*** bknudson has quit IRC12:50
marekdor the existing user (user that exists in the backend, but not the core of a federted workflow)12:51
marekdyou need some link between your identity and roles/role assignments.12:51
*** mestery has joined #openstack-keystone12:52
*** packet has quit IRC12:53
*** htruta has quit IRC12:53
hughsaundersmarekd: np, thanks for helping odyssey4me :)12:53
*** henrynash has joined #openstack-keystone12:55
*** ChanServ sets mode: +v henrynash12:55
*** mestery has quit IRC12:57
*** tellesnobrega has quit IRC13:04
*** dimsum__ has joined #openstack-keystone13:07
*** tellesnobrega has joined #openstack-keystone13:08
*** dims_ has quit IRC13:10
*** danboid has quit IRC13:14
*** henrynash has quit IRC13:18
*** bknudson has joined #openstack-keystone13:19
*** ChanServ sets mode: +v bknudson13:19
*** ihrachyshka has joined #openstack-keystone13:23
ihrachyshkabknudson, hey. re that bug about keystone crashing in grenade. afaik it should not reload code unless it's main script is modified13:23
bknudsonihrachyshka: I can do some experiments... maybe it's documented somewhere how it's supposed to work13:24
ihrachyshkaat least that's what I get from reading mod_wsgi docs on daemon mode13:24
ihrachyshkabknudson, it is: https://code.google.com/p/modwsgi/wiki/ReloadingSourceCode13:24
ihrachyshkawe run in daemon mode13:25
ihrachyshkabtw it also crashes on imports from keystone.* namespace, so it's not about oslo libraries being updated.13:26
ihrachyshkaUNLESS the error does not really show the culprit but some bogus error13:26
*** pdar has left #openstack-keystone13:26
ihrachyshkalike e.g. something crashes with ImportError on some oslo library, then it's unwinds stack and shows ImportError for a module that triggered the oslo import, but without details about actual crash13:27
*** ajayaa has quit IRC13:29
bknudsoncrashing on imports from keystone.* would be interesting since I don't see why grenade would be modifying those files13:29
bknudsondo you have an example log?13:29
*** stevemar has joined #openstack-keystone13:31
ihrachyshkabknudson, a sec...13:31
bknudsonI've seen the ArgsAlreadyParsed , but that's not on import13:33
*** stevemar has quit IRC13:33
*** dguerri is now known as dguerri`13:33
ihrachyshkabknudson, http://logs.openstack.org/77/195277/16/check/check-grenade-dsvm-neutron/99916dc/logs/apache/keystone.txt.gz13:33
ihrachyshkabknudson, that ArgsAlreadyParsed always came after Import error13:33
bknudsonImportError: cannot import name schema13:33
bknudsonyou get that exception when the file doesn't exist?13:34
bknudsonI'll try it13:34
ihrachyshkabknudson, yeah, you would get it. Not sure if that's the only case for that kind of failure though.13:35
ihrachyshkamod_wsgi can do all kinds of tricks caching python modules13:35
bknudsonyou're not suggesting that keystone is purposefully deleting it's own files?13:35
openstackgerritDave Chen proposed openstack/keystone: Show friendly message when request body is not provided  https://review.openstack.org/19542913:36
openstackgerritDave Chen proposed openstack/keystone: Show friendly message when request body is not provided  https://review.openstack.org/19500113:36
ihrachyshkaiiuc it does cache modules to avoid performance hit for python env bootstrap on each hit, and you make mod_wsgi reload everything by touching main wsgi script13:36
bknudsonihrachyshka: I'm going to try it out with devstack... delete some files and stuff13:37
ihrachyshkabknudson, I don't know! :) it may be grenade, or that error may not be the real problem but just some fossil from earlier failure13:37
*** arunkant_ has joined #openstack-keystone13:38
ihrachyshkawe can try to play with wsgi settings, like running more processes and less threads maybe. not sure, I was really far from all that until we started to be hit by this in neutron.13:38
ihrachyshkathe fact that it's neutron only is suspicious though, and it does not help to get attention from other devs either13:38
ihrachyshkasince every other gate works :)13:38
ihrachyshkaand no one cares about neutron being blocked13:38
bknudsonwe've become numb to neutron failures13:38
ihrachyshkawell, it's definitely not neutron's fault I would say. it may be some interesting bug that is triggered by neutron upgrade that does more python module updates and such, or some timing thing due to more work to do during grenade. but I don't see how neutron is involved per se, outside of its integration into grenade process.13:40
bknudsonI don't think neutron is deleting keystone files.13:40
*** browne has joined #openstack-keystone13:41
gordcbknudson: just curious but do you guys recall why you gate on check-swift-dsvm-functional13:41
ihrachyshkabtw neutron is upgraded after keystone, so its python module version bumps go after keystone is up13:41
*** arunkant__ has quit IRC13:41
ihrachyshkathat said, the only version bump I see is around oslo.middleware - it's downgraded, then upgraded back13:41
ihrachyshkaand that flip-flopping seems to be due to poor pip dep solver13:42
ihrachyshkaagain, not sure it's relevant, just some weird sound from trenches13:42
*** woodster_ has joined #openstack-keystone13:44
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: API changes for Reseller  https://review.openstack.org/15300713:44
bknudsonihrachyshka: I was able to recreate "2015-06-26 08:44:27.200423 ImportError: cannot import name schema"13:44
bknudsonI deleted the file13:44
rodrigodsbknudson ^removed the WIP from the API spec changes for Reseller and is_domain in token response13:45
bknudsonand then I did some requests... several worked.13:45
ihrachyshkabknudson, meh, I don't think it's actually deleted though. Though maybe grenade does some weird things with git checkout?..13:45
ihrachyshkabknudson, several worked, but not all?13:45
*** raildo has quit IRC13:45
*** iurygregory has quit IRC13:45
bknudsonihrachyshka: actually, I tried some and they were still working13:46
ihrachyshkabknudson, yeah, because, as per mod_wsgi docs, it does not reload anything until wsgi script is touched13:46
bknudsonand one just worked... that's weird13:46
*** iurygregory has joined #openstack-keystone13:46
*** e0ne is now known as e0ne_13:46
bknudsonI'll try touching the wsgi script13:46
*** raildo has joined #openstack-keystone13:47
bknudsonI thought it must be creating some instances dynamically13:47
*** boris-42 has joined #openstack-keystone13:47
ihrachyshkabknudson, now try to touch the wsgi script and see how quick it starts to fail :) and then back. I wonder whether workers are somehow cached there with wrong env and then are hit with requests once all is good on file system, but not at all in that cached env13:47
*** dguerri` is now known as dguerri13:48
*** dguerri is now known as dguerri`13:48
*** htruta has joined #openstack-keystone13:49
*** dguerri` is now known as dguerri13:50
bknudsonit seems to be failing all the time now.13:50
ihrachyshkabknudson, after touch?13:51
bknudsonihrachyshka: y, I touched the files.13:51
*** lufix has joined #openstack-keystone13:52
bknudsonwhen I put that file back it place it starts working again13:52
ihrachyshkawithout touching?13:52
bknudsonI didn't have to touch the script to get it working again13:52
bknudsonyou can see from the keystone log that it's starting several times13:53
bknudsonhttp://logs.openstack.org/77/195277/16/check/check-grenade-dsvm-neutron/99916dc/logs/apache/keystone.txt.gz -- it logs the config options when it starts up13:53
ihrachyshkabknudson, I suspect it's multiple processes?13:54
bknudsonfor some reason at 2015-06-26 11:18:17.586639 it starts up all the time, whereas before that it's not starting -- http://logs.openstack.org/77/195277/16/check/check-grenade-dsvm-neutron/99916dc/logs/apache/keystone.txt.gz#_2015-06-26_11_18_17_58663913:54
ihrachyshkabknudson, devstack uses WSGIDaemonProcess keystone-public processes=5 threads=1 user=%USER% display-name=%{GROUP} %VIRTUALENV%13:54
bknudsonihrachyshka: that's what I've got in my config file13:55
bknudsonhttps://code.google.com/p/modwsgi/wiki/ReloadingSourceCode#Restarting_Apache_Processes -- mentions MaxRequestsPerChild ...13:55
ihrachyshkaI would expect apache to start those 5 processes and allow them to sit there waiting for requests13:55
*** e0ne_ is now known as e0ne13:56
ihrachyshkabknudson, not sure you want to reload it on every request13:56
bknudsonit's very slow13:57
*** ayoung has quit IRC14:00
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Add is_domain to tokens for projects acting as a domain  https://review.openstack.org/19354314:02
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Add is_domain to tokens for projects acting as a domain  https://review.openstack.org/19354314:03
*** timsim has left #openstack-keystone14:06
*** browne has quit IRC14:10
*** ayoung has joined #openstack-keystone14:12
*** ChanServ sets mode: +v ayoung14:12
*** e0ne is now known as e0ne_14:14
*** browne has joined #openstack-keystone14:16
ayoungAh,  Stevemar has alovely blog post on openidc...14:16
bknudsonihrachyshka: I made the logging a little clearer here and it starts up 10 processes on the first 10 requests.14:16
*** e0ne_ is now known as e0ne14:16
bknudsonI can't figure out how to get it to start the processes when the httpd starts rather than on-demand14:17
ihrachyshkabknudson, so it's on demand? and after pool is full, they are reused, right?14:17
bknudsonihrachyshka: yes. I'll see if it reloads ever once the 10 have started14:18
ihrachyshkabknudson, http://stackoverflow.com/questions/1702562/speeding-up-the-first-page-load-in-django14:18
*** ajayaa has joined #openstack-keystone14:19
bknudsonwe'd need an import script... I tried to make one once.14:19
*** sigmavirus24_awa is now known as sigmavirus2414:19
bknudsonihrachyshka: https://review.openstack.org/#/c/71642/14:20
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Add is_domain to tokens for projects acting as a domain  https://review.openstack.org/19354314:20
ihrachyshkabknudson, please share your findings in that bug, we need to have it documented. I will need to leave now, but please look into the issue if you have cycles. we really depend on it being solved in timely manner. we'll owe you :)14:20
dstanekbknudson: ihrachyshka: the problem isn't that it's reloading it's that there seems to be some extra state lingering right?14:21
bknudsondstanek: when it reloads it finds there's some files missing14:21
ihrachyshkadstanek, well... I think workers failing to reply to requests is still an issue14:21
ihrachyshkaeven if there is another problem of keystone failiing to recover after a worker failure14:21
dstanekbknudson: really? what is missing?14:22
bknudsondstanek: apparently keystone.assignment.schema14:23
bknudsonhttp://logs.openstack.org/77/195277/16/check/check-grenade-dsvm-neutron/99916dc/logs/apache/keystone.txt.gz#_2015-06-26_11_22_06_80300414:23
bknudsonalthough we've seen other missing files in oslo, etc.14:23
dstanekbknudson: are they actually missing or is the python path borked?14:24
bknudsonfrom oslo_utils import excutils14:24
*** henrynash has joined #openstack-keystone14:24
*** ChanServ sets mode: +v henrynash14:24
bknudson?? I don't see anything in the log saying the python path is borked14:24
ihrachyshkawell, I would be really surprised if files are gone indeed. they may have some newer versions though, making mod_wsgi caching mechanism producing interesting crashes14:25
rodrigodshenrynash, we have added the API spec changes to the is_domain spec14:25
ihrachyshkabut I'm probably talking nonsense14:26
rodrigodshenrynash, let's hope it is approved today14:26
henrynashrodigods: I’ll check it out14:26
*** r-daneel has joined #openstack-keystone14:26
bknudsonI don't think we're going to be able to fix this in keystone... it'll have to be grenade14:27
bknudsonwhy are packages getting reinstalled?14:27
bknudsonmaybe keystone installed the wrong version or neutron is14:27
bknudsondo the logs show reinstalling packages?14:28
dstanekbknudson: why i was looking earlier in the week thing were definitely getting reinstalled14:28
bknudsondstanek: on purpose? I don't see why that would be required if the right version was installed to begin with14:29
bknudsonhttp://logs.openstack.org/66/185066/3/check/check-grenade-dsvm-neutron/45d8663/logs/grenade.sh.txt.gz#_2015-06-18_09_08_25_942 ?14:30
ihrachyshkabknudson, which packages do you mean?14:31
bknudsonall packages14:31
ihrachyshkabknudson, well, this is done because the overall process looks like: install kilo, start services; check they are running; then stop services; upgrade code to master (it includes calling to pip install and bumping versions for all unsatisfied deps), then start services; and run tempest.14:32
ihrachyshkait's upgrade test, so it upgrades packages.14:32
bknudsonthat shouldn't be a problem if keystone is restarted after packages are updated.14:33
ihrachyshkabknudson, if you mean python-openstackclient installation triggering keystoneclient version bump, then no, it's not the culprit: I sent a patch that moved its installation to before keystone upgrade, and it didn't help14:34
ihrachyshkaI would agree though that that particular openstackclient installation should not be done in global python path14:34
ihrachyshkavenv would suffice and isolate services from unneeded version bumps14:35
*** samueldmq has joined #openstack-keystone14:35
bknudsonso here's the call to upgrade_project keystone: http://logs.openstack.org/66/185066/3/check/check-grenade-dsvm-neutron/45d8663/logs/grenade.sh.txt.gz#_2015-06-18_09_05_42_31114:36
bknudsonhere's the keystone files: http://git.openstack.org/cgit/openstack-dev/grenade/tree/projects/10_keystone14:37
dstanekthat error log shows it fails because of a glance call. is that actually glance failing to talk to keystone?14:37
ihrachyshkadstanek, it's keystone crashing on import error and apache returning 50114:39
*** ihrachyshka is now known as ihrachyshka|away14:40
henrynashrodigods: see comments I added14:43
dstanekbknudson: i can't tell from this log...is keystone being restarted after the upgrade?14:44
bknudsondstanek: I'm trying to figure that out, too14:45
bknudsonif it's running in apache you need to restart apache14:45
henrynashrodigods: oh…now I see what you did - you merged it into mine?14:45
*** pnavarro is now known as pnavarro|off14:45
henrynashrodigods: not sure taht makes sense14:45
dstanekbknudson: right. which makes me wonder about this http://git.openstack.org/cgit/openstack-dev/grenade/tree/projects/10_keystone/shutdown.sh14:45
bknudsonhttp://logs.openstack.org/66/185066/3/check/check-grenade-dsvm-neutron/45d8663/logs/grenade.sh.txt.gz#_2015-06-18_09_05_09_27914:45
bknudsonlooks like it reloads apache2 ?14:45
henrynashrodigods: me spec doesn’t talk about adding is_domain to the project entity etc.14:47
bknudsondstanek: Stop apache2 at 090509, Upgrade keystone at 090542, Restart apache2 at 09054314:48
bknudsonthat all seems right14:48
bknudsonhttp://logs.openstack.org/66/185066/3/check/check-grenade-dsvm-neutron/45d8663/logs/grenade.sh.txt.gz#_2015-06-18_09_05_50_64514:49
bknudsonthen it goes on to upgrade ceilometer, etc.14:49
rodrigodshenrynash, yep, but I can remove from your change14:49
henrynashrodigods: great….I made commens on your patch14:50
*** vilobhmm has joined #openstack-keystone14:50
henrynashrodigods: technically, your patch would be first to add is_domain to the project entity and calrify the rules of scoping…but NOT mention the token change….then mine would follow yours adding in the token change14:51
rodrigodshenrynash, yes... we discussed this here14:52
rodrigodswe just want to speed up the approval14:52
dstanekbknudson: but serveral more upgrades happen between the keystone restart and the keystone failure14:52
henrynashrodigods: so I’m Ok leaving it in teh current order….but just can’t squash the API changes into mine if mine is first…or I have to rewrite my spec!14:53
bknudsondstanek: y, upgrading other servers... if those are messing with already-installed packages that might be a problem.14:53
bknudsonpackages that keystone is using14:53
rodrigodshenrynash, ++14:54
*** ROT26 has joined #openstack-keystone14:54
e0nemorganfainberg: hello. fyi, i created spec for oslo.service about non-eventlet WSGI app https://review.openstack.org/#/c/196088/14:55
*** stevemar has joined #openstack-keystone14:56
*** fhubik has quit IRC14:56
*** belmoreira has quit IRC14:57
*** htruta has quit IRC14:58
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Add is_domain to tokens for projects acting as a domain  https://review.openstack.org/19354314:59
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: API changes for Reseller  https://review.openstack.org/15300714:59
rodrigodshenrynash, fixed the nits and replied your comment regarding is_domain14:59
rodrigodshenrynash, check if you agree with it14:59
henrynashrodigods: looking14:59
bknudsondstanek: so in the logs we see15:00
bknudsonCollecting oslo.middleware!=2.0.0,>=1.2.0 (from keystone==2015.2.0.dev1)15:00
bknudsonCollecting oslo.middleware<1.1.0,>=1.0.0 (from oslo.messaging>=1.8.0->glance==2015.2.0.dev91)15:00
dstanekyay for compatibility!15:00
bknudsonso it downgrades oslo.middleware15:00
bknudsonthat can't be right15:01
bknudsonI'm not saying that's the problem but maybe there are more of these.15:01
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: API changes for Reseller  https://review.openstack.org/15300715:01
*** lufix has quit IRC15:02
dstaneke0ne: is that just documenting what we already do in keystone?15:02
morganfainbergbknudson: the error is in loading oslo_utils.excutils, i'm wondering if we're hitting one of those weird namespace errors on oslo.utils vs oslo_utils15:02
openstackgerritDavanum Srinivas (dims) proposed openstack/oslo.policy: Add tox target to find missing requirements  https://review.openstack.org/19584215:03
e0nedstanek: it's propose to make it based on oslo.service15:03
bknudsonwe see other errors, too15:03
morganfainbergbknudson: the oslo_config one is a redherring15:03
morganfainbergbknudson: that is because we had an error earlier.15:03
morganfainbergand the options are already registered15:03
henrynashrodigdos: agreed15:04
rodrigodshenrynash, great!15:04
*** ajayaa has quit IRC15:05
bknudsonmorganfainberg: here's another one: http://logs.openstack.org/77/195277/16/check/check-grenade-dsvm-neutron/99916dc/logs/apache/keystone.txt.gz#_2015-06-26_11_22_06_80300415:05
bknudsonhttp://logs.openstack.org/77/195277/16/check/check-grenade-dsvm-neutron/99916dc/logs/apache/keystone.txt.gz#_2015-06-26_11_21_59_792406 -- ImportError: No module named keystoneclient.common15:05
*** mestery has joined #openstack-keystone15:06
morganfainbergbknudson: i think we need to get infra to hold one of these instances for us15:06
morganfainbergbknudson: and poke at it directly15:06
dstaneke0ne: oh, i see. i didn't realize that a framework is needed here. can you add details about what the framework is for to the review?15:06
e0nedstanek: thanks, i'll do15:07
e0nedstanek: i'm pretty sure that we'll have some the same code in all projects so i'll try to move it to oslo15:07
dstaneke0ne: imo, we should wait and see a few impls before picking one as a framework15:08
e0nedstanek: fair enouph. let's see what we'll we have in cinder15:08
*** henrynash has quit IRC15:09
e0nedstanek: according to your comment. i don't want to implement new web framework. i'm going to to it based on webob or another one which is used in projects15:10
e0nedstanek: i need to add more clear explanation into the spec. thanks for review15:10
dstaneke0ne: i wasn't talking about a framework; i was talking about the one you are proposing15:11
e0nedstanek: i understood. thank you15:11
dstaneke0ne: the interesting thing is that i'm working on a flask port for keystone that will not use webob15:11
e0ne:)15:12
morganfainberge0ne; we are moving to flask15:12
e0neimo, it's great idea!15:13
dstaneke0ne: i think in that spec you should layout the responsibilities of the framework in general terms15:13
openstackgerritMonty Taylor proposed openstack/keystoneauth: Remove opestack-common.conf  https://review.openstack.org/19609815:13
*** dimsum__ has quit IRC15:13
dstanekfor a wsgi app you just need to export an application object15:13
dstanekbknudson: once my devstack node builds i'll create a grenade node too - why do these things take so long :-(15:14
bknudsonlooks like a lot of requirements are way out of date...15:14
bknudsonin several packages15:14
bknudsone.g., glance is failing jenkins15:14
e0nedstanek: agree.15:16
e0nedstanek: i would like to implement such feature in cinder and look what code will be the same or the similar to the keystone's15:16
e0nedstanek: and yes, it's not needed in case of flask:)15:17
*** mestery has quit IRC15:17
dstaneke0ne: i'm curious what you're thinking because keystone already support wsgi and eventlet deployment15:18
*** samueldmq has quit IRC15:21
morganfainbergbknudson: trying to grab the failing test on a real node15:22
morganfainbergdstanek, ^cc15:23
dstanekmorganfainberg: awesome15:23
*** e0ne is now known as e0ne_15:25
*** e0ne_ is now known as e0ne15:25
bknudsoncould we get https://review.openstack.org/#/c/193741/ merged sometime so that we can get keystone requirements updated?15:27
morganfainbergbknudson: +215:28
e0nedstanek: afair, only keystone supports these two deployments modes15:28
dstanekbknudson: looks like that's rolling now15:29
bknudsonI think glance has the same bug which is why their requirements is so out of date15:30
*** radez is now known as radez_g0n315:30
dstaneksigmavirus24: ^15:30
* sigmavirus24 looks15:30
*** radez_g0n3 is now known as radez15:30
*** tellesnobrega has quit IRC15:34
*** tellesnobrega has joined #openstack-keystone15:38
*** stevemar has quit IRC15:40
*** stevemar has joined #openstack-keystone15:41
*** zzzeek has joined #openstack-keystone15:42
*** ajayaa has joined #openstack-keystone15:48
*** stevemar has quit IRC15:50
*** stevemar has joined #openstack-keystone15:50
*** stevemar has quit IRC15:50
*** stevemar has joined #openstack-keystone15:51
*** pballand has joined #openstack-keystone15:54
*** htruta has joined #openstack-keystone15:56
*** vilobhmm has quit IRC15:58
*** janonymous_ has joined #openstack-keystone16:00
janonymous_https://review.openstack.org/#/c/193866/16:01
*** njewell has joined #openstack-keystone16:04
*** anhhuynx has joined #openstack-keystone16:04
*** Jason10258 has joined #openstack-keystone16:04
morganfainbergcrap16:05
morganfainbergnode passed when i was looking at it16:05
morganfainbergthere is some weird order bug16:05
morganfainbergbknudson, dstanek, ^16:05
openstackgerritMerged openstack/keystoneauth: Remove keystoneclient lingering files.  https://review.openstack.org/19571016:08
*** rushiagr_away is now known as rushiagr16:09
*** e0ne is now known as e0ne_16:14
*** gabriel-bezerra has quit IRC16:15
*** e0ne_ has quit IRC16:15
mfischdolphm: idea from ducttape_, if someone hands me an invalid fernet token does it try all the keys on the box? if so that would spike load * number of keys you hold16:15
morganfainbergmfisch: you do try each key - the idea is you shouldn't keep keys around outside of the (rotate_window + token_TTL)16:16
*** Lactem has joined #openstack-keystone16:16
morganfainbergmfisch: generally i wouldn't expect too many keys - unless you're doing an insane rotation16:17
mfischyou guys may want to publish some guidance on that16:17
morganfainbergmfisch: asusming 86400s TTL, and a 1x a day rotation, you wont have more than 2-3 keys at a time16:17
mfischthe rotation tool does not handle "remove these 5 really really old keys"16:17
mfischnot to my knowledge anyway16:17
mfischwe have 3 keys16:17
Lactemhttp://docs.openstack.org/developer/python-keystoneclient/using-api.html The example at the very bottom of that page (how to make an endpoint) uses Client. Does anyone know how to get Client in a test case such as in one of these methods: https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_v3_catalog.py#L410-L724 ?16:17
morganfainbergmfisch: 3 keys is about what i'd expect on normal installs16:17
morganfainbergmfisch: and a max keynum of ~4 or so.16:18
mfischan invalid token before was not 3x cpu load, so its something for people to keep in mind16:18
mfischI think today we got hit with that from swift16:18
bknudsondidn't the server need to go through every token to see if it was handed an invalid one?16:18
morganfainbergmfisch: 3x CPU in fernet is also much lower than 3x "get from DB" or 3x "PKI decode"16:18
mfischit wasn't 3x before for invalid16:19
mfischselect * from token where id='x'; (0 rows selected)16:19
morganfainbergmfisch: invalid as in revoked?16:19
bknudsonthat requires a table scan16:19
morganfainbergmfisch: or invalid as in expirred?16:19
mfischas in old yeah16:19
mfischexpired16:19
bknudsonor a walk through the index if there's an index on the token id16:19
mfischactually this is all wrong16:19
morganfainbergbknudson: it was a walk through the index16:20
mfischif an old token comes in, the first key decrypts it, and then keystone says "this is old",16:20
Jason10258Do any of you know where the CA key files/configs are?16:20
morganfainbergsince there was an index16:20
*** fangzhou has joined #openstack-keystone16:20
LactemWoah it's Jason10258. I'm a huge fan.16:20
bknudsonit must have been a hash of the token then since the token is 8k16:20
mfischI assume it doesnt have to fallback to other keys16:20
morganfainbergmfisch: yes that has to be done. it's a 3x decrypt vs a walk the index to DB16:20
morganfainbergmfisch: if it succeeds it will stop looking at subsequent keys16:20
mfischmorganfainberg: but an expired token will decrypt with the primary key still16:20
morganfainbergmfisch: correct. it's 3x cost on a rotated key (well 2x in your case)16:21
Jason10258Do any of you know where the CA key files/configs are?16:21
morganfainbergmfisch: if you get a really old token - that is where the cpu cost if higher16:22
morganfainbergmfisch: not just any expired16:22
Jason10258or do they just not exist anymore?16:22
mfischI'm speaking of a regular old expired token16:22
morganfainbergmfisch: then it's decrypted with the current key16:22
mfischI assume it's: decrypt, look at valid time, reject16:22
mfischok16:22
morganfainbergmfisch: no fallback16:22
mfischwould not make sense otherwise16:22
morganfainbergmfisch: fallback only happens if the key is mismatched and it needs to try the alternate keys16:23
morganfainbergand i *think* it does the HMAC for that check16:23
*** ducttape_ has joined #openstack-keystone16:23
morganfainberginstead of a full HMAC + decrypt16:23
morganfainbergso it checks HMAC sig and that is how it knows if it should even try and decrypt16:23
morganfainbergwhich iirc is lower cost.16:24
*** Akshay00 has joined #openstack-keystone16:24
mfischthanks morganfainberg16:24
rodrigodsmorganfainberg, can you take a look in https://review.openstack.org/#/c/193543/ ? I believe we addressed bknudson comment to remove the WIP from the follow up patch16:28
*** tellesnobrega has quit IRC16:28
openstackgerritMerged openstack/keystone: Don't try to drop FK constraints for sqlite  https://review.openstack.org/19374116:30
*** gyee has joined #openstack-keystone16:31
*** ChanServ sets mode: +v gyee16:31
*** fangzhou_ has joined #openstack-keystone16:32
Jason10258Do any of you know where the CA key files/configs are?16:32
Jason10258or do they just not exist anymore?16:32
*** fangzhou has quit IRC16:33
*** fangzhou_ is now known as fangzhou16:33
Jason10258I am an intern at Intel working on a bug (https://bugs.launchpad.net/keystone/+bug/1287414) and I am having troubles finding the semi-existant CA keys16:34
openstackLaunchpad bug 1287414 in Keystone "Keystone should not require CA key" [Low,Triaged] - Assigned to Jason O'Brien (jason10258)16:34
morganfainbergJason10258: i think those are only generated if you use pkisetup16:35
morganfainbergJason10258: which is only needed when you are doing pki tokens16:35
*** tellesnobrega has joined #openstack-keystone16:35
Jason10258ok thank you . Ill try that out16:35
*** Ephur has joined #openstack-keystone16:36
*** gabriel-bezerra has joined #openstack-keystone16:38
*** _cjones_ has joined #openstack-keystone16:39
*** Lactem has quit IRC16:39
*** roxanaghe has joined #openstack-keystone16:43
*** e0ne has joined #openstack-keystone16:43
*** dguerri is now known as dguerri`16:44
*** e0ne has quit IRC16:45
*** henrynash has joined #openstack-keystone16:46
*** ChanServ sets mode: +v henrynash16:46
morganfainbergayoung: is jamielennox|away on vacation?16:48
mfischmorganfainberg: can I change the crypt_strength without screwing up in-flight tokens?16:48
morganfainbergmfisch: uhmm........16:49
mfischI was going to do an experiment on something16:49
morganfainbergmfisch: what crypt strength you changing?16:49
mfischthe one in keystone.conf, isn't it used for the tokens?16:50
mfisch# The value passed as the keyword "rounds" to passlib's16:50
mfisch# encrypt method. (integer value)16:50
mfisch#crypt_strength=4000016:50
morganfainbergnope16:50
morganfainbergthat is for password rounds16:50
morganfainberghttps://github.com/openstack/keystone/blob/master/keystone/common/config.py#L83-L8416:51
mfischah I thought dstanek said otherwise, thanks16:51
morganfainbergyeah fernet uses HMAC256(create_time, AES128(payload)) i think16:51
morganfainbergand is fixed16:51
mfischty16:51
morganfainbergfixed in the cryptography library we use16:51
morganfainbergnot something we specify16:51
morganfainbergmfisch: so you can totally change the crypt strength and not affect tokens ¬_¬16:52
mfischubuntu package has the wrong default in the config file16:53
*** dimsum__ has joined #openstack-keystone16:53
morganfainbergwe just updated that default recently16:53
mfischthat would explain16:53
mfischlooks like 40k to 10k?16:53
morganfainbergyep16:53
morganfainberghttps://github.com/openstack/keystone/commit/67e0ba5ee2108731050e26f7b4dd6c8d3dab118d16:53
*** spandhe has joined #openstack-keystone16:54
*** browne has quit IRC16:59
*** pballand has quit IRC17:00
morganfainberghenrynash, rodrigods, ayoung, do we have a blog post about setting up an LDAP backed domain somewhere17:01
*** HT_sergio has joined #openstack-keystone17:01
morganfainbergdstanek, ^cc17:01
morganfainbergi'm sure we had one somewhere...17:01
morganfainbergmfisch, ^ cc17:01
henrynashmorganfainberg: I think samueldmq had something in terms17:01
*** pballand has joined #openstack-keystone17:02
henrynashayoung too, me thinks17:02
morganfainbergah here http://adam.younglogic.com/2015/02/adding-an-ldap-backed-domain-to-a-packstack-install/17:02
mfischnot a domain sorry17:02
*** atiwari has joined #openstack-keystone17:02
*** atiwari has quit IRC17:03
*** tellesnobrega has quit IRC17:03
*** atiwari has joined #openstack-keystone17:03
openstackgerritMerged openstack/keystone: Switch to oslo.service  https://review.openstack.org/19373217:06
morganfainbergbknudson, ^ woooo17:06
openstackgerritMerged openstack/keystone: Update sample configuration file  https://review.openstack.org/19387917:06
bknudsonmorganfainberg: 1k fewer lines of code to worry about17:06
morganfainbergbknudson: exactly!17:06
*** anhhuynx has quit IRC17:08
*** lhcheng has joined #openstack-keystone17:08
*** ChanServ sets mode: +v lhcheng17:08
openstackgerrithenry-nash proposed openstack/keystone-specs: Enable retrieval of default values of domain config options  https://review.openstack.org/18565017:08
*** ajayaa has quit IRC17:08
*** lhcheng_ has joined #openstack-keystone17:09
*** ROT26 has quit IRC17:09
*** shaleh has joined #openstack-keystone17:10
henrynashbknudson: so I think we got the API sorted out in the follow-on patch to: https://review.openstack.org/#/c/193543/ (it’s no longer WIP and aligns with this now)….if you agree, maybe you can mark this one...17:10
bknudsonok. I didn't look at the WIP patch before. It's on my list17:11
Akshay00henrynash:I am working on https://bugs.launchpad.net/keystone/+bug/1287414 with Jason10258   And I noticed you did the initial commit which added ca_key as a command line option.  Trying to figure out how best to remove it and if that is the best plan.  As a note I am also a high school intern at Intel :)17:11
openstackLaunchpad bug 1287414 in Keystone "Keystone should not require CA key" [Low,Triaged] - Assigned to Jason O'Brien (jason10258)17:11
*** lhcheng has quit IRC17:12
henrynashAkshay00: I did?  you sure it was not ayoung?17:13
Akshay00henrynash: I saw this commit 1ed2046eaa91fa36926d66a5fe1e88ccd65373bb17:14
ayounghenrynash, all your fault.17:14
ayoungNot really17:15
henrynashayoung: :-)17:15
ayoungAkshay00, so, I think that is just for the case I am trying to destroy anyway17:15
ayoungI want to get rid of the whole openssl approach to cert generation17:15
ayoungone of many things I submtitted to under duress.  I was young, I needed the money.17:15
gyeehe's telling the truth17:16
ayoungAkshay00, so, the reason that is there is to have a place to hold the key when generating the self signing.  You do need that if you do pki_setup or ssl_setup, as you need to sign the non-ca cert17:16
gyeeayoung, you want to put certmonger in there or you just want to kill off the whole thing?17:17
ayounghttp://2.bp.blogspot.com/-X4jXPyzIt10/Ur3Am5WsSZI/AAAAAAAABcQ/rRu-6QzCSys/s640/Jake+no+glasses.png17:17
ayounggyee, I want certmonger, and make it the abstraction for selfsign, for people that want it, but also the way to talk to a real CA17:18
gyeelets do this17:18
ayounggyee, HP has its own CA server, right?  Does it have a published protocol for posting CSRS?17:18
gyeeno need to fix that bug then17:18
gyeeayoung, we are using ephemeral CA at the moment17:19
*** rlt_ has quit IRC17:20
Akshay00henrynash:  Do you suggest that I try to find a different bug for me to work on, if you have a plan to remove it17:20
Akshay00??17:20
henrynashAkshay00: was that for me or ayoung?17:21
ayounghenrynash, I am not a manager. I resent being treated like one.17:21
Akshay00henrynash:that was for you17:21
ayoungEveryone is asking me what they should work on.17:21
*** ihrachyshka|away is now known as ihrachyshka17:22
raildoayoung, delegate17:22
*** e0ne has joined #openstack-keystone17:22
amakarovbknudson, hi! I see some of your patches don't have neither bug nor bp/spec reference: can you please educate me, are there any principles when bp is needed and when it is not?17:23
henrynashAkshay00: feel free to pick a bug from the backlog….17:23
*** ducttape_ has left #openstack-keystone17:23
bknudsonamakarov: if it's not changing the behavior of the server then no bp or spec is needed17:23
bknudsonamakarov: if somebody thinks it would be good for those to have a bp or a spec I'll add one.17:23
Akshay00So should I switch bugs then?17:23
Akshay00henrynash:?17:24
amakarovbknudson, thank you - things are clearer now for me )17:24
*** samueldmq has joined #openstack-keystone17:25
bknudsonnot putting a bug or blueprint on it means that it's harder to track and prioritize... but I'm fine with waiting a while for these changes to get in.17:25
*** EmilienM is now known as EmilienM|brb17:25
*** sigmavirus24 is now known as sigmavirus24_awa17:27
*** ajayaa has joined #openstack-keystone17:28
*** pballand has quit IRC17:30
*** pballand has joined #openstack-keystone17:31
*** ankita_wagh has joined #openstack-keystone17:35
*** Akshay00 has quit IRC17:36
*** Akshay00 has joined #openstack-keystone17:36
*** browne has joined #openstack-keystone17:37
*** henrynash has quit IRC17:39
*** sigmavirus24_awa is now known as sigmavirus2417:41
*** tqttran_afk has joined #openstack-keystone17:41
*** Lactem has joined #openstack-keystone17:42
Lactemdolphm: You there?17:42
LactemI wrote something. https://gist.github.com/Lactem/5a43296b8975da24db51 Would that suffice? (You said to make a test that does what https://paste.ee/p/pdyrS does.)17:44
*** fangzhou has quit IRC17:47
LactemCan any of the pros take a look and see if they think that would pass for the bug https://bugs.launchpad.net/keystone/+bug/1098564 or not? @morganfainberg @Akshay00 @Jason1025817:51
openstackLaunchpad bug 1098564 in Keystone "Cannot delete a service or endpoint" [Low,Incomplete] - Assigned to Theodore Ilie (theoilie-ti)17:51
stevemardimsum__: morganfainberg https://review.openstack.org/#/c/195865/117:54
*** e0ne is now known as e0ne_17:55
*** anhhuynx has joined #openstack-keystone17:56
*** Lactem has quit IRC17:57
anhhuynxI found out that when you do >keystone ec2-credentials-list on the CLI it would only list the admin's credentials, and you have to add the option --user-id <user-id> in order to get that user's credentials17:58
anhhuynxis that intended, or is that a bug?17:58
*** pballand has quit IRC17:58
anhhuynxor am I doing something wrong?17:58
*** tqttran_afk is now known as tqtran18:00
*** Lactem has joined #openstack-keystone18:01
*** ankita_wagh has quit IRC18:01
*** ankita_w_ has joined #openstack-keystone18:01
*** pballand has joined #openstack-keystone18:02
*** EmilienM|brb is now known as EmilienM18:04
*** rushiagr is now known as rushiagr_away18:04
*** hogepodge has quit IRC18:06
*** samueldmq has quit IRC18:06
*** samueldmq has joined #openstack-keystone18:06
*** lhcheng_ has quit IRC18:07
*** arunkant__ has joined #openstack-keystone18:07
*** ankita_w_ has quit IRC18:07
*** arunkant_ has quit IRC18:08
*** ankita_wagh has joined #openstack-keystone18:08
stevemarbknudson: got a minute?18:09
*** e0ne_ is now known as e0ne18:10
bretonbknudson: are you going to test https://review.openstack.org/195766 somehow? I'll write a functests for it if you haven't yet.18:11
openstackgerritSteve Martinelli proposed openstack/keystone: switch to oslo.cache  https://review.openstack.org/19587318:11
openstackgerritFernando Diaz proposed openstack/keystone: Adding Documentation for Mapping Combinations  https://review.openstack.org/19285018:12
*** arunkant__ has quit IRC18:13
*** diazjf has joined #openstack-keystone18:13
bknudsonbreton: I haven't written tests for it18:14
*** rushiagr_away is now known as rushiagr18:17
bknudsonbreton: I proposed the change to devstack18:17
*** sjcherry has joined #openstack-keystone18:18
sjcherryLatest keystone in git won't start.18:19
sjcherry2015-06-26 14:16:15.750 19309 CRITICAL keystone [-] TypeError: Service <keystone.common.environment.eventlet_server.Server object at 0x32efc10> must an instance of <class 'oslo_service.service.ServiceBase'>!18:19
stevemarsjcherry: using eventlet?18:19
stevemarbknudson: uh oh18:19
sjcherryCinder had the same problem last week after the switch to oslo.service.18:19
dstaneksjcherry: that's odd18:19
stevemarsjcherry: yeah, we just switched to oslo.service now18:19
dstanekdid we switch to oslo_service?18:19
stevemardstanek: a few minutes ago18:19
dstanekhaha, ok18:20
bretonbknudson: what change?18:20
bretonbknudson: nevermind, see it now18:21
sjcherryThe fix for cinder was in https://review.openstack.org/#/c/19536918:21
sjcherryI expect each service will see the same issue one by one.18:24
gyeeayoung, why do we need epsilon for k2k federation? its that a requirement for mod_mellon?18:28
*** david8hu has joined #openstack-keystone18:28
ayounggyee, other way around,. ipsilon uses mod_mellon. Don't know that we need it for K2K18:29
ayoungI think that Isilon could be useful for K2K.  I have not put that much brainpower in to the problem18:30
*** dramakri has joined #openstack-keystone18:30
gyeeayoung, I remember nkinder mentioned mod_mellon is waiting on something from epsilon in order to support ecp18:30
gyeemaybe I am hearing him wrong18:30
*** Lactem has quit IRC18:31
ayounggyee, other way round18:31
ayoungmod_mellon has some not-yet-merged upstream commits we are waiting for18:31
ayoungipsilon, not epsilon...different greek letter18:31
*** arif-ali has quit IRC18:31
gyeeayoung, ah, my bad18:32
openstackgerritSteve Martinelli proposed openstack/keystone: Use oslo.service ServiceBase when loading from eventlet  https://review.openstack.org/19617518:32
stevemarsjcherry: review ^ ?18:32
*** Akshay00 has quit IRC18:32
*** arif-ali has joined #openstack-keystone18:36
*** arif-ali has quit IRC18:37
*** arif-ali has joined #openstack-keystone18:38
bknudsonstevemar: what happened? did it break?18:38
bknudsonI thought we told everybody to run keystone under httpd?18:39
*** rushiagr is now known as rushiagr_away18:39
gyeewhat break? eventlet?18:39
*** njewell has quit IRC18:39
*** Jason10258 has quit IRC18:40
bknudsonWhen I run with devstack keystone master works just fine.18:41
*** hogepodge has joined #openstack-keystone18:41
dstanekbknudson: me too. i wonder if it's an oslo.service version problem...18:42
*** e0ne has quit IRC18:42
bknudsonoslo.service==0.1.018:43
bknudsonwhich is the latest on pypi18:43
dstanekbknudson: i'm wondering if others don't have the latest18:44
bknudsonoslo.service>=0.1.0 is in global-requirements18:44
sjcherryCinder is the only other project that I've seen change to oslo.service.18:44
dstanekor maybe they are running the bleeding edge: http://git.openstack.org/cgit/openstack/oslo.service/commit/?id=59ed2ec386c90fc6fdb5e7353a62f729e071f79518:44
bknudsonthat change isn't backwards-compatible.18:45
dstanekbknudson: nope18:45
dstaneksjcherry: i suspect once olso_service is released with that commit then others will likely need to fix18:47
bknudsonkeystone-all fails with master oslo.service.18:47
sjcherrydstanek, Yep.  That's why I poked in here as soon as I saw that error in my logs.18:47
*** samueldmq2 has joined #openstack-keystone18:48
*** samueldmq2 has quit IRC18:48
sjcherryI saw it earlier in Cinder but that one the cinder-api service wouldn't even start.18:48
bknudsonproposed a revert: https://review.openstack.org/#/c/196183/18:49
sjcherryoslo.service 0.1.0 has the same check but only in the lauch() function.18:49
bknudsonI guess as long as we can get ahead of it it's fine18:50
bknudsonthis is why I hate ABCMeta.18:51
morganfainbergbknudson: because it doesn't enforce useful things? Because #python18:51
gyeehah18:51
*** samueldmq has quit IRC18:52
bknudsonit enforces a little bit, but not much18:52
bknudsonso what's the point18:52
bknudsonfine if you control all the code but doesn't make sense in a library18:52
morganfainbergWe should rewrite keystone in rust18:52
*** arunkant has joined #openstack-keystone18:52
dstanekit enforces just enough to be painful18:52
morganfainbergOr golang18:52
bknudsonand the way it's used here it's just checking isinstance in a couple places... wtf18:53
bknudsonC++18:53
stevemarbknudson: you just dont get it, it's too hip and cool18:53
morganfainbergNah. The ldap driver would be too much to maintain in c++ (did it in a past life)18:53
bknudsonconsidering keystone-all worked fine before the change proves it was unnecessary18:53
morganfainbergLet's rewrite the ldap integration from scratch18:53
gyee++18:54
morganfainbergIn a new language.18:54
morganfainbergCause why not m18:54
bknudsonlet's not write the ldap integration, use apache support18:54
openstackgerritSteve Martinelli proposed openstack/keystone: switch to oslo.cache  https://review.openstack.org/19587318:54
*** e0ne has joined #openstack-keystone18:54
gyeebknudson, been there, done that18:54
openstackgerritBoris Bobrov proposed openstack/keystone: functional tests for keystone on subpaths  https://review.openstack.org/19618618:54
morganfainbergAaaaaaaaannnnnyyyway18:54
morganfainbergSo what is broken with oslo_service?18:54
morganfainbergJust Oslo service bad in a recent commit?18:54
stevemarmorganfainberg: only with master branch of oslo_service18:54
bknudsonmorganfainberg: it's not broken... yet18:54
morganfainbergAh ok18:55
gyeethought we are getting rid of eventlet so what's the point?18:55
bknudsonit removes 1k lines of code from oslo-incubator18:55
bretonin fact, I still don't like that we move away from eventlet18:56
bretonit was easy to use it for debugging18:56
gyeeI use print18:56
bretondo import pdb; pdb.set_trace() and launch from terminal keystone-all18:56
stevemarbreton: use rpdb18:56
*** rushiagr_away is now known as rushiagr18:56
morganfainberggyee: 1k fewer lines to deal with until we get liberty eol18:56
bretonstevemar: what about gdb? I am not sure I can use it with apache18:57
stevemarnever tried that one18:57
gyeegdb? that works with python code?18:57
sigmavirus24gyee: it can18:57
gyeenice! I didn't know that18:57
morganfainbergbreton: sorry, but eventlet was a bad option for a pure wsgi app in the first place. Mod_wsgi gunicorn uwsgi all better options and have been around a long time18:58
kfox1111morganfainberg: I just read up on how aws is doing things. they extended their metadata server to hand back their equiv of keystone tokens, just like in my origonal proposal. :/18:58
sigmavirus24it's better for debugging the interpreter or C extensions, but it works gyee18:58
gyeesigmavirus24, thanks! I'll give it a try18:58
bretonstevemar: I had to use it to debug https://bugs.launchpad.net/keystone/+bug/142078818:58
openstackLaunchpad bug 1420788 in Keystone juno "Logging blocks on race condition under eventlet" [Medium,Fix released] - Assigned to Boris Bobrov (bbobrov)18:58
sigmavirus24gyee: have fun ;)18:58
kfox1111see: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html section "Retrieving Security Credentials from Instance Metadata"18:58
morganfainbergbreton: another case why eventlet is a bad idea.. Doesn't occur in Apache/managed wsgi18:59
bknudsonwe need eventlet so that we can debug -- eventlet problems18:59
morganfainberg:P18:59
morganfainbergbknudson: right? ;)18:59
gyeekeep us employed18:59
morganfainbergkfox1111: then do it that way, but realize anyone who uses config drive will not get your neat feature.18:59
bretonit was terrible for running in production, but pretty good for running on localhost19:00
bretondjango does that, for example19:00
kfox1111yeah. I'm afraid with config drive only allowing static data, the dynamic rekeying stuff that the metadata route enables is out of the question anyway. :/19:00
morganfainbergbreton: django doesn't use eventlet. It uses webrick? We could do similar.19:00
stevemardimsum__: having some issues with oslo.cache config options19:00
stevemardimsum__: did it work for you?19:00
morganfainbergbreton: but that is the same method as the managed wsgi, just a single process19:01
dstanekmorganfainberg: flask will take care of this going forward19:01
bretondstanek: when will flask happen?19:01
dstanekor at least can19:01
morganfainbergdstanek: yeah I know. It's internal single process manager that works just like a wsgi manager like mod_wsgi19:01
morganfainbergbreton: this cycle19:02
stevemarbknudson: got a minute to look at https://review.openstack.org/#/c/195873/19:02
kfox1111with static, if you mothball your vm for a while, then start it back up, if you ever have to rotate your keys then your vm's dead anyway. :/19:02
dstanekbreton: I want to have first pass done by Monday19:02
bknudsonstevemar: I'm actually fine with https://review.openstack.org/#/c/196175/19:02
bretonok, that's cool19:02
stevemari'll resurrect it then bknudson19:02
morganfainbergkfox1111: so, you have a bigger political battle to fight I think. Make metadata service not sucky and available everywhere.19:03
*** Ctina__ has joined #openstack-keystone19:03
bknudsonI guess that's the way we're supposed to do it.19:03
dstanekbreton: I was shooting for this week, but to much life happened19:03
kfox1111morganfainberg: Yeah. :/19:03
kfox1111I personally don't think its sucky. I do understand others don't think the same.19:03
morganfainbergkfox1111: haven19:03
bknudsonstevemar: did you check if there's any unused reqs after removing all the code in https://review.openstack.org/#/c/195873/ ?19:03
kfox1111yeah. :/19:04
morganfainbergHaving run it.. It needs love19:04
bretondstanek: I'll be happy to review it when it happens19:04
morganfainbergIt causes issues at scale.19:04
morganfainbergOr it did at least 2 releases ago19:04
stevemarbknudson: not yet, should do that soon though, there seems to be an issue with registering the config options19:04
kfox1111yeah. the implementation could use work. but I don't think thats reason to throw the baby out with the bath water.19:04
kfox1111amazon's md server scales, so its at least theoratically possible.19:04
morganfainberg"rm -rf eventlet_code_in_keystone"19:05
stevemarbknudson: and looking at this: https://github.com/openstack/oslo.cache/blob/master/oslo_cache/_opts.py#L124-L130 it should be registering automagically19:05
morganfainbergThat would also solve our issues :P19:05
kfox1111yay. byby eventlet! :)19:05
bknudsonstevemar: automatically?19:05
bknudsonif by automatic you mean when you call the function19:06
*** Ctina_ has quit IRC19:06
kfox1111so are you ok doing something where some instance user management service (md server or otherwise) manages the certs and gives vm's keystone tokens when needed? or is that still -1?19:06
kfox1111just going to go back and basically rewrite the whole blody spec and want to lay out all the options again. :/19:06
stevemarhmm i guess i need to call cache.configure(CONF)19:07
*** Ctina__ has quit IRC19:07
gyeekfox1111, with that spec, we are potentially creating thousands accounts in keystone, one per instance right?19:09
*** harlowja has quit IRC19:09
kfox1111possibly. though the account is managed by ca, so it doesn't actually exist in keystone.19:09
kfox1111kind of a federated thing.19:09
gyeekfox1111, I see, so we just map a cert to a group in Keystone for example19:10
*** pballand has quit IRC19:10
kfox1111yup.19:10
gyeethat'll work19:10
stevemarbknudson: calling https://github.com/openstack/oslo.cache/blob/master/oslo_cache/core.py#L316-L317 at keystone/server/common.py doesn't seem to make things happy19:11
*** ankita_wagh has quit IRC19:11
*** pballand has joined #openstack-keystone19:12
*** ankita_wagh has joined #openstack-keystone19:13
*** amakarov is now known as amakarov_away19:13
*** janonymous_ has quit IRC19:14
bknudsonstevemar: I think it goes in http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/config.py#n112119:14
*** r-daneel has quit IRC19:17
*** ankita_wagh has quit IRC19:17
stevemarbknudson: that seems to make the tests happy, not genconfig though19:18
bknudsongenconfig uses the entrypoint19:18
bknudsondoesn't it?19:18
*** rushiagr is now known as rushiagr_away19:19
*** ankita_wagh has joined #openstack-keystone19:19
*** markvoelker has quit IRC19:20
*** woodster_ has quit IRC19:21
*** harlowja has joined #openstack-keystone19:22
*** markvoelker has joined #openstack-keystone19:26
*** Jason10258 has joined #openstack-keystone19:31
*** Jason10258 has quit IRC19:31
*** sigmavirus24 is now known as sigmavirus24_awa19:31
morganfainbergbknudson: it needs to be added to the config file thing too.19:31
morganfainbergFor genconfig iirc.19:31
morganfainbergSince keystone is treated as an actual lib too.19:32
openstackgerritSteve Martinelli proposed openstack/keystone: switch to oslo.cache  https://review.openstack.org/19587319:32
bknudsonhttp://git.openstack.org/cgit/openstack/keystone/tree/config-generator/keystone.conf19:32
*** markvoelker has quit IRC19:32
morganfainberghttps://github.com/openstack/keystone/blob/master/config-generator/keystone.conf19:32
morganfainbergYeah.19:32
bknudsonjinx19:32
*** markvoelker has joined #openstack-keystone19:32
stevemari added it there >.<19:32
bknudsonare other projects using oslo.cache?19:34
raildoanyone can review this spec? :D https://review.openstack.org/#/c/193543/1019:34
kfox1111morganfainberg: so are you ok doing something where some instance user management service (md server or otherwise) manages the certs and gives vm's keystone tokens when needed? or is that still -1?19:35
*** Lactem has joined #openstack-keystone19:35
morganfainbergkfox1111: that's fine if it really is the only option.19:36
kfox1111ok.19:36
morganfainbergkfox1111: but I'm eating lunch so -- no hard decisions right now ;)19:36
kfox1111hehe. ok.19:36
kfox1111fair enough. :)19:36
*** e0ne has quit IRC19:36
*** jay__ has joined #openstack-keystone19:36
kfox1111since everyone seems to want to see all the options, just trying to figure out options to lay out.19:36
*** atiwari has quit IRC19:37
*** dramakri has quit IRC19:38
*** sigmavirus24_awa is now known as sigmavirus2419:38
*** markvoelker_ has joined #openstack-keystone19:38
*** markvoelker has quit IRC19:40
openstackgerritSteve Martinelli proposed openstack/keystone: switch to oslo.cache  https://review.openstack.org/19587319:42
*** markvoelker has joined #openstack-keystone19:44
*** markvoelker_ has quit IRC19:45
*** sjcherry has quit IRC19:45
morganfainbergstevemar: have bandwidth for like 3 easy reviews?19:47
*** Lactem has quit IRC19:48
morganfainbergstevemar: https://review.openstack.org/#/c/193543/10 and the two cleanup ones in keystoneauth (preceding the namespace change)19:48
*** fangzhou has joined #openstack-keystone19:48
stevemarmorganfainberg: ay ay, captn19:48
stevemarlink me the two from keystoneauth19:48
morganfainbergStarts here... https://review.openstack.org/#/c/195712/ you don't need to do the namespace one19:50
morganfainbergIf you aren't up for t.19:50
morganfainbergLooks like one in ksa already merged.19:50
morganfainbergSo just that one.19:50
*** markvoelker has quit IRC19:54
*** mestery has joined #openstack-keystone19:54
*** HT_sergio has quit IRC19:54
*** markvoelker has joined #openstack-keystone19:58
*** pballand has quit IRC19:59
*** pballand has joined #openstack-keystone20:02
*** e0ne has joined #openstack-keystone20:03
*** pnavarro|off has quit IRC20:07
*** markvoelker_ has joined #openstack-keystone20:09
*** markvoelker has quit IRC20:11
*** markvoelker_ has quit IRC20:12
*** jay__ has quit IRC20:14
*** browne has quit IRC20:15
*** dramakri has joined #openstack-keystone20:17
*** tqtran has quit IRC20:17
morganfainbergdstanek: do you have a WIP patch for flask or not quite that far yet?20:18
*** pnavarro|off has joined #openstack-keystone20:19
dstanekmorganfainberg: i don't, but i can get one together pretty quickly i think20:23
dstaneki just have to unbreak a few things that i broke20:23
*** e0ne has quit IRC20:24
*** ankita_wagh has quit IRC20:25
*** ankita_wagh has joined #openstack-keystone20:27
*** pballand has quit IRC20:30
*** pballand has joined #openstack-keystone20:32
openstackgerritMorgan Fainberg proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/19040520:33
stevemarmorganfainberg: why the move to keystoneauth120:37
morganfainbergstevemar: so we can have major versions co-installed on the system20:38
stevemardimsum__: i think the double role/assignment options in oslo.cache are breaking us20:38
morganfainbergbasically the idea is that any change that could break an interface at all justifies a new major version20:38
morganfainbergthis library has to be insanely stable20:38
morganfainbergit's going to be used by SDK20:38
stevemarfair enough20:38
morganfainbergand client libs20:38
morganfainbergthe next step is ditching oslo.config for it20:39
*** e0ne has joined #openstack-keystone20:39
morganfainbergand we're like 90% ready for a release20:39
morganfainbergor 95%20:39
morganfainberg(stable release that is)20:39
raildobtw, thanks stevemar for the reviews in the hmt stuff on openstack client :)20:42
stevemarraildo: np at all, part of the job!20:42
*** e0ne has quit IRC20:44
*** dramakri has quit IRC20:46
stevemarmorganfainberg: do you have the ability to release a new oslo.cache?20:49
*** ajayaa has quit IRC20:49
morganfainbergNope20:50
morganfainbergHave to ask dhellman or one of the other release managers.20:50
*** markvoelker has joined #openstack-keystone20:51
dimsum__stevemar: i can20:52
dimsum__will be able to do it in a couple of hours. ok?20:52
dimsum__unless what you need is in already in master20:53
kfox1111morganfainberg: just to explore some more options... what about regular federation. I know nothing about saml, but could the metadata server be made an identity provider and then it just redirects to keystone with the appropriate bits?20:54
morganfainbergkfox1111: you're likely to be unhappy with that - the metadata service is already doing too muhc. you probably want a microservice then20:54
morganfainbergkfox1111: that can focus on "IdP" specific code20:55
* dimsum__ vanishes for a couple of hours20:55
morganfainbergkfox1111: it can't "just provide" identity. Federation has a lot of overhead because it has to be trusted data.20:55
morganfainbergkfox1111: the client certs are hooking into that to help aleviate the need to be a true IdP.20:56
morganfainberghence the recommendation to go that route20:56
stevemardimsum__: i still need to figure out what the fix is :)20:56
kfox1111ah. ok. just curious.20:57
stevemarmorganfainberg: got a minute?20:57
*** mestery has quit IRC20:57
morganfainbergstevemar: sure20:57
stevemarmorganfainberg: https://review.openstack.org/#/c/195872/20:58
morganfainbergstevemar: expecting a call in like 2 mins, but worst case can come back when done20:58
stevemaroh it'll be longer than that i think20:58
morganfainberghow did you break that?20:58
stevemarhttps://github.com/openstack/oslo.cache/blob/master/oslo_cache/tests/test_cache.py#L197-L20120:58
stevemarmorganfainberg: ^20:59
morganfainbergahahah20:59
morganfainbergyeah20:59
morganfainberghard-coded "assignment"20:59
kfox1111I wonder if I should just recommend making a new network service that runs on every hypervisor that attaches through a secondary network interface that provides this service. :/20:59
stevemarmorganfainberg: create a new group at test time?20:59
kfox1111its frustrating since the metadata servers supposed to just be that. :/20:59
morganfainbergstevemar: there is a way to register the group dynamically with the config fixture20:59
morganfainbergstevemar: i recommend using a specifically generated group rather than a "keystone" one20:59
stevemartheres also this one https://github.com/openstack/oslo.cache/blob/master/oslo_cache/tests/test_cache.py#L14020:59
morganfainbergsame thing21:00
morganfainberguse the config fixture to register a group like uuid.uuid4().hex21:00
morganfainbergor some such21:00
morganfainbergand reference it21:00
stevemaryeah, i'll do that21:00
morganfainberg:)21:00
morganfainbergkfox1111: maybe.21:01
morganfainbergkfox1111: i can't speak to the "need another agent"21:01
kfox1111heh. yeah. :/21:01
*** woodster_ has joined #openstack-keystone21:02
kfox1111I guess that's just one more possible implementation for the alternatives section21:04
kfox1111(its going to get huge. :/)21:04
*** pballand has quit IRC21:05
*** bknudson has quit IRC21:06
*** raildo has quit IRC21:06
*** browne has joined #openstack-keystone21:08
*** htruta has quit IRC21:13
kfox1111morganfainberg: I have an idea....21:18
kfox1111I did this exact thing in barbican, but maybe its better to do it simply in keystone...21:18
kfox1111we give Nova metadata server its own self signed cert. we load that cert's ca into keystone and give it a domain.21:19
*** markvoelker has quit IRC21:19
kfox1111we extend the nova metadata server to create a signed message with the cert saying "the bearer of this message is nova instance id=xxxxx-xxxx-xxx-xxxxx"21:20
kfox1111the instance passes that signed message to keystone as autentication credentials, kesytone gives back a token.21:21
*** iurygregory has quit IRC21:21
kfox1111no barbican needed in that workflow, or lots of certs, or anything.21:21
kfox1111we'd only need to add a simple authentication plugin to keystone to support that workflow.21:22
gyeekfox1111, you can do that today already, via federation21:22
kfox1111gyee: morganfainberg just said it was hard to do that with federation as it exists today. are we missing something?21:23
*** sigmavirus24 is now known as sigmavirus24_awa21:23
*** harlowja has quit IRC21:23
*** openstack has joined #openstack-keystone21:24
gyeehave the path protected by mod_ssl21:24
kfox1111morganfainberg: what do you think?21:25
gyeekfox1111, seem my comment at the bottom http://adam.younglogic.com/2015/03/key-fed-lookup-redux/21:26
gyeeI got it working with PAM, its not that hard to create one for SSL21:26
kfox1111gyee: have a look at: https://review.openstack.org/#/c/159573/21:27
gyeelooking21:28
kfox1111specifically vendordata_barbican.py and token.py21:28
*** markvoelker has joined #openstack-keystone21:28
kfox1111what would go into the keystone plugin would basically be whats in context.py21:29
kfox1111note, "token" there doen't meen keystone token. just a signed message.21:30
*** markvoelker has quit IRC21:30
*** stevemar has quit IRC21:30
*** Raildo has joined #openstack-keystone21:31
*** stevemar has joined #openstack-keystone21:32
gyeekfox1111, you are assuming PKI/Z token21:32
morganfainberggyee: "federation" is different than the mod_ssl, he was talking true IdP21:33
kfox1111no, the code is just reused from thje PKI/Z module. :)21:34
*** Raildo is now known as raildo21:34
kfox1111its reusing its code to sign/verify the signed message.21:34
morganfainberggyee: client certs as federation would be ok21:34
morganfainbergkfox1111: FYI s/mime (CMS) adds about a minimum of 1KB overhead21:34
gyeemorganfainberg, right, I thought that's what he wants21:34
morganfainberggyee: yeah that was what i was recommending vs. being a true "IdP" because it wouldn't be a true IdP21:35
morganfainbergcerts are a bit stubby attribute wise (without going crazy non-standard)21:35
kfox1111morganfainberg: I'm just thinking, maybe a way to extend some kind of trusted relationship between Nova and Keystone such that, if nova says, give me a token for user=instanceid, its given one.21:35
*** harlowja has joined #openstack-keystone21:35
morganfainbergkfox1111: that is how the client cert stuff is meant to work - but it requires a group (IdP) and an assignment on said group21:36
kfox1111certs are a way towards that, but seems like it may be unnessisary?21:36
gyeekfox1111, security folks won't let you get away with impersonation21:36
morganfainbergkfox1111: we still need a way to authoritatively validate the reuqests21:37
morganfainberggyee: it isn't impersonation, he's asking for an ephemeral uers21:37
morganfainberguser*21:37
gyeethat would be federation then21:37
morganfainberglike how federation works, but a bit more "vm = user-id"21:37
morganfainbergvm-id*21:37
morganfainbergugh21:37
morganfainbergvm-id == user_id21:37
kfox1111authoratatively can be done via nova's existing keystone user?21:37
morganfainbergkfox1111: not really. Keystone doesn't support the idea that $service can create a token for $arbitrary_user_info21:38
*** henrynash has joined #openstack-keystone21:38
*** ChanServ sets mode: +v henrynash21:38
morganfainbergkfox1111: we require a cryptographically verified set of data that has an explicit trust.21:38
kfox1111today. would that be out of the question though? it may be by far the easiest thing to implement?21:38
morganfainbergkfox1111: i'd say we're dangerously close to the cert thing now :P21:39
kfox1111quite possibly.21:39
morganfainbergand it means keystone has much less code to write to support you21:39
kfox1111I'm just thinking the cert is long lasting. probably longer then is strictly nessisary.21:39
gyeeif you are exchanging cert for a token, zero code to write :)21:39
kfox1111then its gota be stored in a db.21:39
gyeefor keystone21:39
morganfainbergif you're asking for an API to let $service issue an ephemeral user + token - you're now asking for custom APIs and i'll be blunt - it is unlikely to get in during liberty21:40
kfox1111if a signed message can be used instead, but have all the same properties, that might be generated on the fly and be easier to mange.21:40
morganfainbergkfox1111: and i'd need to do some serious thinking about how to isolate the security concerns21:40
kfox1111understood.21:40
morganfainbergkfox1111: there *is* the ephemeral PKI work21:40
kfox1111just exploring options. since others keep throwing up roadblocks.21:40
morganfainbergbut i don't know where that is today21:40
gyeewhy do you need a user token? to fetch the secret from barbican right?21:41
morganfainbergi'm not opposed to some extra trust mechanism with clear delegation to an ephemeral user via a transport21:41
morganfainbergkfox1111: what i don't want is to rush it in liberty and open security holes21:41
morganfainbergkfox1111: if you need this in liberty (sounds like the timeline) i'd say certs are the easiest21:41
kfox1111gyee: thats one example, or to let a guest agent talk to zaqar, or allow an app to fetch stuff from swift, or nagios to discover instances to monitor, etc.21:41
gyeebut that can be done via group mapping21:42
morganfainbergif you are talking about a service that can run with just user-id (ACLs are in the service) then cert is free21:42
kfox1111morgainfainberg: agreed. I think its probably dead for liberty at this point anywah. nova's killed it by waiting so long to review. :/21:42
morganfainbergif you need roles in keystone, it's a little more work21:42
morganfainbergand we need to make sure we're not causing you a roadblock by requiring the role to be on a roup21:42
morganfainberggroup*21:42
morganfainbergs/in keystone/from keystone21:42
gyeejust create a project with the correct roles assigned21:43
kfox1111if tokens are handed out by the metadata server, then the way it gets the token from keystone is an implementation detail that can be resolved later.21:43
openstackgerritMerged openstack/keystoneauth: Remove catalog/translation targets from tox.ini  https://review.openstack.org/19571221:43
*** anhhuynx has quit IRC21:43
kfox1111we can start with something really stupid like user/pw and sql, and replace it with ca's or federation or whatever and no one will be the wiser.21:43
morganfainberggyee: the point is making sure we're not forcing them into a model that wont work - just requires mapping it out21:43
openstackgerritMerged openstack/keystoneauth: Move to the keystoneauth1 namespace  https://review.openstack.org/19100321:43
openstackgerritMerged openstack/keystoneauth: Remove opestack-common.conf  https://review.openstack.org/19609821:43
kfox1111thats why I really like the idea of the md server handing out tokens. keystone tokens are always going to be  a thing.21:44
kfox1111kesystone username/pw, certs, whatever might not.21:44
morganfainbergkfox1111: no they wont. i'm working to make them also disappear21:44
kfox1111its nicely abstracted.21:44
morganfainbergkfox1111: bearer tokens are awful21:44
kfox1111hmm...21:44
morganfainbergkfox1111: but the impact to your system will be minimal - it'll just be a new way to auth21:44
morganfainberg;)21:44
morganfainbergso don't worry about the bearer tokens dieing21:44
kfox1111k.21:45
morganfainbergit really wont be hard to move to a new system once they are ready to go21:45
morganfainbergjust don't expect it to *always* be bearer tokens21:45
morganfainbergas in try and look at the token to figure out things ;)21:45
kfox1111yeah. the contents of th token are opaque.21:45
morganfainbergassume the authorization is opaque21:45
kfox1111exactly. :)21:45
kfox1111thats what I like about the idea. we assume it goes back to keystone and keystone's the only one to make any meaning out of it.21:45
kfox1111then we can replace the mechanism in the md server with anything we want over the years and the api doesn't have to change.21:46
kfox1111if somehow quantum encryptiion becomes a thing, :) nova->keystone can use that to get a token. :)21:46
*** bknudson has joined #openstack-keystone21:47
*** ChanServ sets mode: +v bknudson21:47
gyeewith cloud, quantum is possible21:47
gyeejust wait and see :)21:47
kfox1111hehe.21:47
kfox1111so... to really simplify the spec for now, can I just say the initial implementation will create username/pw's in keystone in its own domain? I can always write a migration script that goes through the db and converts them to barbican CA certs or some trusted handshaked federation thingy in the future when we decide what that should look like?21:49
*** pballand has joined #openstack-keystone21:50
kfox1111It should be possible to be done in place without a downtime?21:50
gyeeone user per instance?21:50
*** htruta has joined #openstack-keystone21:50
stevemarmorganfainberg: https://review.openstack.org/#/c/195872/ cc dimsum__21:51
kfox1111one user per instance that has requested the instance user feature.21:51
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/19040521:51
morganfainbergkfox1111: i think you're writing yourself into a corner by updating things in keystone21:51
bknudsonstevemar: oslo.cache doesn't need role and assignment drivers?21:51
gyeewe are looking at potentially thousands of users21:51
morganfainbergkfox1111: creating users/groups21:51
morganfainbergkfox1111: i am really against nova being able to do that21:51
*** ihrachyshka has quit IRC21:52
bknudsonheat already does it21:52
morganfainbergkfox1111: because then every otherservice wants to do it.21:52
morganfainbergbknudson: heat is a bit special21:52
kfox1111yes, but hte whole point of instance users is to prevent other services needing to do that. :/21:52
bknudsonmorganfainberg: "special" ?21:52
gyeelike special olympic?21:52
bknudsonhe he21:52
* kfox1111 chuckles21:52
morganfainbergbknudson: i have un-pc words to use for some of heats specialness21:52
morganfainbergkfox1111: then we should make it more generic - does neutron need this for it's ports somehow?21:53
kfox1111heat creates users since it needs instances to talk back to it. if nova instance users were there, it could just switch to them I think.21:53
stevemarbknudson: it certainly does not21:53
kfox1111no, but octavia needs it for getting user's barbican ssl certs to load balancers.21:53
morganfainbergkfox1111: i aslo worry about adding 1000s of users to the SQL DB backend in keystone21:53
morganfainberglegitimately the SQL backend is terribad21:53
kfox1111sahara could use it to esablish a connection between a guest agent running in a sahara instance zaquar and its controllers.21:54
morganfainbergand we've opted to spend zero time making it a lot better, assuming it's minimal usage21:54
morganfainbergkfox1111: making this work like an emphemeral/federated user is a lot less overhead.21:54
morganfainbergimo21:54
stevemarbknudson: grrr, still not registering the config options when i generate a new config file21:55
kfox1111morganfainberg: I agree, the scaling aspect sucks. I'm just trying to split the need of getting an API going and abstracted, from an implementation that can be continuously imporved over time.21:55
morganfainbergkfox1111: i also think you're going to see most deployers tell you to fly a kite on allowing nova to create users in keystone21:55
kfox1111agreed. if we can figure out how to make it work quickly.21:55
morganfainbergkfox1111: so you're writing a feature that the majority of people wont want to enable21:55
kfox1111will they be more receptive to be having to install barbican?21:55
bknudsonstevemar: the config generator is silent on failures21:55
morganfainbergkfox1111: i'd say yes.21:55
stevemarbknudson: i am looking at git diff21:56
kfox1111I want to agree. at the moment, I'd disagree simply because there are no rpms yet. :/21:56
kfox1111and heat already does instance users. :/21:56
*** rwsu has quit IRC21:56
*** pnavarro|off has quit IRC21:57
morganfainbergkfox1111: i mean i can't stop you from proposing this to nova and having them agree it is the right way21:57
morganfainbergi can tell you none of the public clouds will ever turn this on21:57
morganfainbergor at least RAX and HP wont [afaik]21:57
kfox1111is rax even running keystone yet?21:57
kfox1111I thought they were doing their own thing in a lot of ways. :/21:58
morganfainbergno, but they are moving to it soon(tm) [required for defcore compliance]21:58
gyeejython last I heard21:58
morganfainbergamong other reasons21:58
* hogepodge looks around21:58
morganfainbergbut RAX users and such are managed outside of keystone21:58
kfox1111what I'm interested in most is starting to grow the community of heat developers able to create cloud scaled apps that can be contributed.21:58
morganfainbergsame with HP's users21:58
morganfainbergkeystone does not manage users for either cloud21:59
morganfainbergkeysotne consumes the users.21:59
kfox1111if it takes a while for the public clouds to adopt it, thats probably ok, because it takes them so long to adaopt any openstack release anyway. :/21:59
morganfainbergand brokers the access to the clouds21:59
kfox1111if we can fix the issue before they adopt, they won't even notice.21:59
morganfainbergkfox1111: the user DBs are read-only as far as keystone is concerned21:59
gyeekfox1111, in HP cloud, everything user is connected to a billing account21:59
kfox1111how are they supporting heat?21:59
kfox1111(or are they?)21:59
gyeeso Nova can't just create users21:59
morganfainbergand i've publically stated (and stand this line) that keystone's user-management API will never be defcore required22:00
gyeein fact, user creation is part of onboarding workflow22:00
morganfainbergbecause many many many deployments do not want to allow keystone write access to the user-store22:00
kfox1111thats one of the reasons I wanted instances users to be different hten just letting users have a domain and create instance users themselves.22:00
kfox1111that kind of policy prohibits it.22:00
hogepodgemorganfainberg: it's one I agree with22:00
hogepodgemorganfainberg: based on my own past usage22:01
hogepodgeamongst other things22:01
morganfainberghogepodge: you and I are much on the same page for what should/shouldn't be required for a cloud to be "interoperable"22:01
gyeeagree 10000%22:01
morganfainbergkfox1111: so i think we need to make the users look like ephemeral users.22:01
gyeeIdP is outside of defcore22:01
hogepodgeGive me a machine running an image with a network and storage? One can dream. ;-)22:01
kfox1111morganfainberg: I totally agree with you.22:02
bknudsonthat's only because they don't want to take advantage of per-domain backends22:02
morganfainbergkfox1111: the short path is CA -> client cert22:02
morganfainbergbknudson: even with per-domain backends, keystone cannot write to the per-domain backend22:02
morganfainbergbknudson: those are read-only22:02
bknudsonyou can have both read-write and read-only backends22:02
morganfainbergafaik we can't write to a per-domain backend22:03
bknudsonoops, domains22:03
morganfainbergthe code doesn't support it22:03
morganfainbergonly supports writes to default22:03
morganfainberg(not defualt domain, default backend)22:03
bknudsonwe really only support having sql as the primary domain22:03
bknudsonwhich allows adding domains and r/w users of course22:03
morganfainbergbknudson: we unfortunately broke deployments by asserting that22:03
morganfainbergbknudson: we need to undo that22:03
morganfainberg:(22:04
gyeebknudson, how about lets spend a weekend hack up SCIM with Flask?22:04
morganfainberghonestly, i think we need to take a hard look at SCIM for this22:04
bknudsonthere's already SCIM servers22:04
bknudsonaccording to SCIM.com22:04
morganfainbergit might be what is needed22:04
gyeein django22:04
morganfainbergnova can utilize SCIM to handle the identity bits per-vm.22:04
breton> even with per-domain backends, keystone cannot write to the per-domain backend22:04
bretonreally?22:05
morganfainbergbreton: as far as i know, yes. it was a design choice22:05
kfox1111so, I guess we're at, barbican ca, keystone x590 federation, nova metadata uses cert, hands out tokens to the vms?22:05
bknudsona read-only sql backend makes no sense22:05
bretonI thought I created users in ldap configured per-domain22:05
morganfainbergbreton: it might have been changed, but oh dear god i don't think we test those paths well22:05
bknudsonwe don't test per-domain backends22:06
bknudsonor ldap22:06
morganfainbergkfox1111: *or*22:06
morganfainbergkfox1111: another way to communicate (preferably via an apache module) the user information in a secure way22:06
morganfainbergthat we can hook into the federated system22:06
*** roxanaghe has quit IRC22:06
morganfainbergkfox1111: x509 is a known quantity and we know the work needed to get there22:07
*** pballand has quit IRC22:07
gyeex509 cert for token should be zero addition work for keystone22:07
morganfainbergkfox1111: in fact, almost (if not all) the work will be done as a side effect of initiatives we're pushing to make service users better. thats the reason why i keep comin back to it22:07
*** stevemar has quit IRC22:07
bretonbknudson: I see several tests with domain_specific_drivers_enabled=True in tests/unit/test_backend_ldap.py, don't they work?22:08
*** stevemar has joined #openstack-keystone22:08
morganfainbergbreton: we have some tests but it's not really tested in a devstack22:08
*** edmondsw has quit IRC22:08
bknudsonbreton: you can have a writable ldap domain-specific driver.22:08
morganfainbergunit != functional/truely working22:08
kfox1111morganfainberg: I'm not sure I see how thats different.22:08
*** edmondsw has joined #openstack-keystone22:08
bknudsonwhy would a real deployment ever use read-write ldap backend?22:08
*** edmondsw has quit IRC22:08
morganfainbergbknudson: i don't know. i stopped trying to understand that22:09
bknudsonif I was using ldap I'd have better tools for adding users already22:09
morganfainbergbknudson: but people do it and usually the answer is very hand-wavey22:09
* breton tryed out of curiosity22:09
bknudsonldapadd vs openstack user add22:09
breton*tried22:09
gyeebknudson, sure ldap -f add_users.ldif22:09
morganfainbergbknudson: 100% agree with you22:09
morganfainbergor freeIPA web interface (it's remarkably good)22:09
kfox1111I guess, what would be truely fantastic would be a mechanism like:22:09
kfox1111nova has a ca... each hypervisor gets a cert.22:10
kfox1111each hypervisor runs a web server attached to the instances it maintains.22:11
kfox1111any request to the web server signs a message to keystone saying "i need a token from instance X"22:11
*** pballand has joined #openstack-keystone22:11
kfox1111keystone verifies the CA then goes back to nova api and asks is instance x running on that hypervisor. if it is, it gives back a token for intance X.22:12
morganfainbergkfox1111: so stop here22:12
morganfainbergbefore you get too much further22:12
morganfainbergi have a very important question22:12
*** stevemar has quit IRC22:12
morganfainbergwhat authorization does the token for instance X need?22:12
kfox1111nothing for most of the use cases. just enough of keystone integration for a user to add acls to barbican or zaqar to enable specific resources.22:13
morganfainbergi really don't know what that means.22:13
morganfainbergdo you need roles?22:13
kfox1111no roles.22:13
morganfainbergor is an unscoped token sufficient?22:13
morganfainbergdoes it need to be part of a project?22:13
kfox1111unscoped token is sufficient so long as they can get the service catalog entries to point to barbican/zaqar.22:14
morganfainbergnope22:14
kfox1111not part of a project.22:14
morganfainbergneeds a project then22:14
morganfainbergunscoped doesn't have a catalog today22:14
bknudsonwe could just allow service users to generate unscoped tokens22:14
bknudsonwith whatever user you want22:14
kfox1111can be a dummy project. doesn't really need it but if that make it work, whatever.22:14
morganfainbergsure, i'm trying to get the full scope of what you want22:14
kfox1111k.22:15
morganfainbergalso keystone going back to nova - no.22:15
kfox1111no roles, no groups, one domain (that managed by nova) and some way of getting a keystone user id to hang acl's off of. and some day trusts.22:15
* morganfainberg thinks for a minute22:15
bknudsontrusts makes it more difficult22:15
morganfainbergyeah22:15
morganfainbergkfox1111: ok so lets stop with what the mechanism to get the token is22:16
kfox1111k.22:16
morganfainbergwhat specifically would be done with the token22:16
morganfainbergreal-world usecase22:16
morganfainbergnot theoretical22:16
kfox1111k.22:16
morganfainbergif possible22:16
*** gordc is now known as gordc_22:16
kfox1111vm is provisioning itself. It gets a token somehow, and a barbican endpoint somehow.22:16
kfox1111it calls the get secret rest api of the barbican endpoint, fetches a secret, and provisions it self.22:17
kfox1111secret could be mysql password, ssl wildcard certificate, etc.22:17
morganfainbergsure22:17
kfox1111another use case is, the vm starts up, gets a token somehow,22:17
kfox1111starts up the heat guest agent,22:18
kfox1111connects to zaqar queue heatinstance-xxxx-xxxx-xx and starts listening for request to come in to run software-deployments.22:18
kfox1111almost every use case I can think of that I need to do for the next year falls into one of those two catagories.22:19
kfox1111there can be others, but those can wait.22:19
*** htruta has quit IRC22:19
kfox1111sound ok?22:20
morganfainbergi mean i kindof hear a CMS use-case mixed with a heat-stack use-case22:20
morganfainbergam i hearing that wrong?22:20
kfox1111cms use case for the former. using heat to stand up apps.22:21
morganfainbergyah22:21
kfox1111the latter is the guest agent use case. controller -> vm management control.22:21
morganfainbergsure. but that tends to flow from CMS -> config -> things22:21
kfox1111heat is usually actually used to provision those too these days.22:21
morganfainbergon top of IaaS things22:21
kfox1111yeah.22:21
kfox1111kind of the saas stuff. trove, sahara, etc.22:22
kfox1111lbaas.22:22
*** dramakri has joined #openstack-keystone22:22
*** lhcheng has joined #openstack-keystone22:22
*** ChanServ sets mode: +v lhcheng22:22
kfox1111anything that has a controller provisioning vm's on the bahalf of the user really.22:24
kfox1111it can be used for other things, like I mentioned before, those two use cases are the things I really care about currently.22:24
morganfainberghmmmmm22:24
kfox1111because each guest agent is implementing things differently and most are doing it suboptomally since its hard to do right.22:25
kfox1111sahara does ssh from controller to guest agent. (hurts with SDN)22:25
kfox1111trove is doing it with rabbit (not multitenant aware. security risk)22:25
kfox1111heat's doing it with their own users. (bleh :)22:26
kfox1111lbaas implemented their own thing (was lementing not having instance users in the mailing list the other day)22:26
kfox1111no clue whta magnum's doing. afraid to find out.22:26
kfox1111they all should just be using zaqar with instance users.22:26
morganfainbergmagnum is abstracting away the containers as $container_things, after the vm is spun up22:27
kfox1111zaqar works nicely with SDN since its going the right way through the nat.22:27
morganfainbergso it knows it's bay and can interact with it directly22:27
*** lhcheng_ has joined #openstack-keystone22:27
morganfainbergmagnum is not a huge issue on this front22:27
openstackgerritBrant Knudson proposed openstack/keystone: Remove setUp for RevokeTests  https://review.openstack.org/17925922:27
morganfainbergdocker/docker_swarm is not intended to be bound to keystone22:27
morganfainbergmagnum's interfaces might be.22:28
kfox1111the controller never has to poke commands at the vm?22:28
morganfainbergindirectly22:28
kfox1111like "drain the vm of containers, its going down"?22:28
morganfainbergdocker and kubernetes can't be under keystone authZ today22:28
morganfainbergso it does it in the docker/kubernetes methods22:28
kfox1111does it use a guest agent at all on the vm's?22:28
morganfainbergfairly certian it's like a nova-cpu agent22:29
kfox1111nova-compute uses rabbit as a back channel for control.22:29
morganfainbergi'd have to go look22:29
morganfainbergbut my guess is it uses it's own transport that is not tied to keystone22:29
morganfainbergwhatever that transport is22:29
kfox1111yeah. but my guess is its iether, rabbit, ssh, or http polling. :/22:30
morganfainbergat least that was what it was doing before22:30
*** lhcheng has quit IRC22:30
morganfainberglikely ssh or rabbit22:30
kfox1111each has their problems. :/22:30
morganfainbergdon't think it's http polling22:30
morganfainbergat least i'd hope not22:30
morganfainbergor zmq *shrug*22:30
kfox1111odly, http polling plays best with sdn of the 3 while still providing security. :/22:30
*** diazjf has left #openstack-keystone22:31
kfox1111thats why folks are pushing zaqar hard as the guest agent commmunication solution. guest agents really need a multitenant safe, client initiated scalable message queue. :/22:31
kfox1111it only works with keyston credentials though, hence the instance user need.22:31
morganfainbergwho is pushing that? zaqar folks or lots of folks?22:32
* morganfainberg is out of the loop22:32
kfox1111zaqar and some of us ops that keep tripping over everyproject badly reimplementing the wheel.22:32
morganfainbergthis isn't meant to be a snarky response, just a legitimate "who is pushing zaqar as the solution"22:32
kfox1111sahara kills us today. every instance has to have a floting ip so sahara can talk to it. :/22:32
kfox1111every time I try a new openstack service, its repeating history. :/22:33
morganfainbergso.. i think there is somewhat of a disconnect here22:33
morganfainbergit almost feels like we're trying to solve PaaS issues with IaaS tools22:33
morganfainbergit's blended somewhere inbetween22:34
kfox1111SaaS, but go on.22:34
morganfainbergwhich makes it hard22:34
morganfainbergwell magnum == PaaS22:34
morganfainbergsahara is somewher between SaaS and PaaS22:34
morganfainbergcloser to SaaS22:34
kfox1111actually, magnum's in a very weird place. its SaaS, in that its deploying Software as a Service (magnum)22:34
kfox1111which itself is a PaaS. :)22:34
morganfainbergkfox1111: lets just call that PaaS then :P22:35
* kfox1111 chuckes.22:35
morganfainbergnet result - it's a platform as a service22:35
kfox1111k.22:35
kfox1111bleh. ment its deploying Kubernetes.22:35
morganfainbergbecause you could say IaaS is SaaS just deploying IaaS things (net result)22:35
kfox1111Kubernetes is platform as a service, magnum is deploying the software Kubernetes.22:36
morganfainberglinux on kvm is *really* just software22:36
morganfainberg:P22:36
kfox1111anyway...22:36
morganfainbergit's semantics22:36
kfox1111true.22:36
kfox1111fair enough. everything's about definitions. I'll use yours for now.22:37
morganfainbergwhat i'm trying to dig into is how much of this is really tied to the user that is provisioning a vm22:37
kfox1111in my little world, long term most users wont be provisioning vm's they will be using prebuilt templates to do that.22:37
kfox1111Ie, go to the app catalog, choose my sweet cloud app, hit run.22:38
morganfainbergand how linking it to the low level of what is used to make nova, glanc,e swift, cinder helps. [not saying this is wrong by any means][22:38
kfox1111its some autoscaled, multitiered web app.22:38
kfox1111yeah. to me, those components really are building blocks to the end resut a user cares about. they are gears the user doesn't care about.22:39
morganfainbergkfox1111: right22:39
kfox1111the problem is getting them so they work together smoothly enough for a cloud developer can write a generic enough template that they can make available to users.22:39
kfox1111IE, add their app to the app store.22:39
kfox1111right now, most "apps" are very specific to one cloud. the one it was developed for.22:40
kfox1111so they can't contribute it back. :/22:40
kfox1111Comparable to Linux back its infancy.22:40
*** tqtran has joined #openstack-keystone22:40
kfox1111only a developer could write software for it, and it only ran on their own box.22:40
kfox1111I want to get to a place where OpenStack is like Android. You pull up the store, search through a wealth of apps, and hit launch, then use it.22:41
kfox1111We're close, but some there are a few major pain points still in openstack for that. :/22:43
kfox1111secrets to vm's is one of the biggest.22:43
kfox1111(User managable dns subdomains + ssl certs is another)22:44
kfox1111anyway. way off in left field again.22:45
openstackgerritBrant Knudson proposed openstack/keystone: Document policy target for operation  https://review.openstack.org/16852122:45
morganfainbergso i think i'm back to ephemeral PKI is really the best solution here22:45
kfox1111k.22:46
morganfainbergSSL certs with CAs, while heavy-weight-ish22:46
morganfainbergreally are the easiest way to convey "this VM is allowed to do X"22:46
morganfainbergand we can encode the vm's uuid (or whatever) as part of the DN22:46
kfox1111yeah. k.22:46
morganfainbergephemeral PKi work is happening, but i don't know the state of it22:47
morganfainbergit might be too new22:47
*** Akshay00 has joined #openstack-keystone22:47
kfox1111well, the "it can do x" is really "use project dummy"?22:47
morganfainbergbut still a CA + certs are a good way to go.22:47
gyeewe are deploying anchor22:47
kfox1111since thats required today to get a scoped token?22:47
morganfainbergkfox1111: we can map it to a special project if needed.22:47
*** packet has joined #openstack-keystone22:47
kfox1111k.22:47
morganfainbergkfox1111: or all to a group with a special role+project22:47
kfox1111yeah.22:48
gyeehttps://github.com/stackforge/anchor22:48
morganfainbergif it *has* to be keystone tokens (though this sounds more and more like it could also not be keystone tokens)22:48
morganfainbergkeystone can be configured to handle this.22:48
morganfainberglonger term we could make it the default configuration if there is really a demand22:48
morganfainberggyee: ++ that was what i was thinking, but i couldn't remember where it was22:49
kfox1111ok. so. nova has a db entry for cert. it gets a signed one from barbican. stores it. when a vm requests a token, the md servuer uses the cert to request a token and hand it back?22:49
*** lhcheng_ has quit IRC22:49
morganfainbergkfox1111: it could also use certmonger or any other mechanism for getting the cert22:49
morganfainbergand if barbican is used, nova can own the cert and request it on demand for environments that don't want keys (etc) in the nova-db22:50
*** Lactem has joined #openstack-keystone22:50
kfox1111morganfainberg: maybe. I identified another set of constraints. let me run those by you...22:50
LactemHas Dolph been on?22:50
morganfainbergLactem: i've seen him on twitter22:50
morganfainbergbut not much else today22:50
LactemOkay.22:50
LactemI needed his opinion on something he was guiding me with.22:50
kfox1111vms can be stopped, suspended or shelved. so they may not be able to self refresh a cert before they expire. but are still desired to work after rehydrating or restarting.22:51
morganfainbergLactem: it's also ~5pm his time22:51
LactemHe's been on around this time before, though.22:51
morganfainbergLactem: it is also a friday ;)22:51
LactemBut yeah it's getting late.22:51
kfox1111the other thing is vm's can be snapshotted. so it would be very good if instance user certs aren't snapshotted along with the vm.22:51
LactemVery true.22:51
*** Akshay00 has quit IRC22:51
morganfainbergkfox1111: i think SpamapS' recommendation of a microservice is sounding more and more correct rather than wedging this into metadata22:52
morganfainbergand it would solve the configdrive issue22:52
kfox1111except his suggestion requires a one time fetch.22:52
Lactemmorganfainberg: Would you mind taking a quick look if I can't reach Dolph today? I just want to know if this code is path-worthy or not.22:52
kfox1111I'm not sure how that would work with the suspended case.22:52
kfox1111same with snapshotting.22:52
morganfainbergLactem: sure.22:52
LactemI wrote something. https://gist.github.com/Lactem/5a43296b8975da24db51 Would that suffice? (You said to make a test that does what https://paste.ee/p/pdyrS does.)22:52
Lactem^ That's the message I sent to him.22:52
morganfainbergwhoa. uhm. hold on a sec22:53
kfox1111I'm ok with the other service, so long as it doesnt' complicate things. but I think you really need a cert or something in order to talk to that microservice, and then whats the point?22:53
LactemOkay.22:53
LactemIt's about bug https://bugs.launchpad.net/keystone/+bug/1098564 by the way.22:53
openstackLaunchpad bug 1098564 in Keystone "Cannot delete a service or endpoint" [Low,Incomplete] - Assigned to Theodore Ilie (theoilie-ti)22:53
morganfainbergoh not cool irccloud... auto-embeding gists and such22:53
morganfainbergugh22:53
morganfainbergLactem: my settings made it hard to follow the convo w/ kfox111122:54
morganfainbergLactem: let me finish this up and then i'll loolk22:54
morganfainbergkfox1111: you know i was wrong22:55
morganfainbergkfox1111: this sounds like you want puppet/chef-as-a-service built into the cloud22:55
LactemAlright. No rush.22:55
kfox1111morganfainberg: I've wanted that. :)22:56
morganfainbergkfox1111: i think we're crossing things up in ways that are problematic22:56
kfox1111none of configuration management systems handle ephemeral vms well though.22:56
kfox1111ansible's the closest I've seen to dealing with it right. :/22:56
kfox1111most config management systems assume they are driving the deployment. they don't handle heat autoscaling well. :/22:57
kfox1111possilby. whatcha thinking?22:57
morganfainbergi'm thinking the focus becomes make CMS handle ephemeral vms22:57
morganfainbergand drive it with say ansible22:57
morganfainbergplay to the strengths of the technology22:58
kfox1111k. lets start at the root.... heat autoscaling.22:58
kfox1111you have a template, created on demand by heat when load gets high enough, that needs to be instantiated.22:58
morganfainbergthis whole spec is starting to feel like we need to invent something new and wedge a square peg into a round hole22:58
morganfainbergkfox1111: and playbooks do a reasonable job of things like this.22:58
morganfainbergreasonable - not fantastic22:59
morganfainbergbut we can improve reasonable to something better22:59
kfox1111sure.22:59
kfox1111heat suports using playbooks within the instance.22:59
kfox1111but the instance needs to get secrets from somewhere.22:59
kfox1111heat autoscale launches a new heat stack for the instance.23:00
morganfainbergbut these secrets aren't OpenStack secrets23:00
kfox1111has a resource for a nova vm.23:00
morganfainbergthese are app secrets23:00
kfox1111correct.23:00
morganfainbergso what is the store for a user secret?23:00
kfox1111but its automated within openstack, so it has to be pulled in somehow based on only knowlege openstack has.23:00
morganfainbergbarbican?23:00
kfox1111barbican.23:01
morganfainbergand heat has authority to act on user's behalf23:01
morganfainbergand contact barbican23:01
morganfainbergthis could all be driven from the heat side.23:01
kfox1111yes, but there's no way to get a secret into the vm securely?23:01
kfox1111heat has a trust for the user, so it can use that...23:01
morganfainberghow does ansible get secrets to anything securely atm?23:02
*** pballand has quit IRC23:02
morganfainberghow does chef? or puppet do it?23:02
kfox1111but you don't want to push the user's trust into the vm?23:02
kfox1111the management node, or whatever you want to call it. the thing running ansible,23:02
kfox1111scp's files from that node to the other nodes it manages.23:02
morganfainbergso could heat push this data down?23:02
morganfainbergyou've already trusted heat with a lot of powers23:03
kfox1111its the controller -> vm contact thing again.23:03
kfox1111hmmm....23:03
LactemInteresting conversation.23:03
morganfainbergheat is already driving everything here23:03
*** pballand has joined #openstack-keystone23:03
kfox1111so extend the heat api, to make barbican secrets available via heat api, then pass a keystone heat user into the vm so it can call back and get it?23:04
morganfainbergnot an unreasonable approach if heat already does things23:04
morganfainbergthat way as heats model evolves and gets better, you already benefit23:04
morganfainbergyou're not re-inventing everything23:04
kfox1111it doesn't solve the guest agent issue, but its a way to solve the secrets from heat use case.23:05
morganfainbergthe guest agent issue is a go back to the projects and make them stop doing things badly23:05
morganfainbergif every one of them is different, i'm going to go out on a limb and say it's not going to get better with $magic keystone users23:06
morganfainbergit's just going to be a custom thing for every one of them23:06
kfox1111its only different so far because each of them, when they ask the others how did you solve it, has said "by our selves" :/23:06
morganfainbergkfox1111: we can wor on socialization issues like that23:07
kfox1111octavia said to me "if we would have known instance users were coming" we would hae waited and just used that.23:07
kfox1111or contributed.23:07
morganfainbergwe don't need to reinvent a mix between CMS and PaaS23:07
morganfainbergwe already have a lot of those23:07
kfox1111instances are going to want to talk to openstack services one day.23:07
kfox1111keystone's the gatekeeper to that.23:08
kfox1111jenkins and nagios are some other examples.23:08
morganfainbergand i'm likely going to tell you the same thing then. they don't get a special ability to make users23:08
bknudsonthe instance might run and instance of keystone23:08
morganfainbergthey can either (case of jenkins?) get a service user with the right scope of access (or use the owner's account/serice account)23:08
kfox1111true. they just need a way to get a keystone token. which is what the spec's totally about.23:08
kfox1111I don't really care how it happens, just that they are available when needed. :)23:09
*** stevemar has joined #openstack-keystone23:09
kfox1111which is why the api reflected "instance asks metadata server for token". the rest is all totally implementation detail.23:09
morganfainbergkfox1111: i really don't think you're going to have a huge demand for VMs to talk to OpenStack services directly - most of them are one-off/ansible-push type deals and then the subordinate services don't need to talk to nova, glance, etc23:10
kfox1111your right though, there's nothing really stopping nova from accepting the user's token as part of the instance create, and then using that to hand out tokens to the vm.23:10
kfox1111morganfainberg: amazon implements both chef as aservice, and instance users.23:11
morganfainbergkfox1111: i'm trying to not wedge this into keystone-must-be-in-the-middle, or exclude that.23:11
kfox1111they felt it important enough to implement due to customer demand.23:11
morganfainbergkfox1111: i can get you instance users.23:11
morganfainbergkfox1111: i can. but it's going to be x509 certs and some enhancements around that23:11
openstackgerritBrant Knudson proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/19040523:11
kfox1111thats fine. I can go with that. no problem.23:11
bknudsonmaybe we can get this right.23:11
bknudsonmight be better off just waiting until a reqs update.23:12
morganfainbergbut it sounds to me like the first step is going to be push the data down23:12
morganfainbergand that hits the immidiate need23:12
morganfainbergheat drives, uses ansible or whatever else23:12
morganfainbergand we can get the x509 user stuff in place in liberty23:12
*** stevemar has quit IRC23:13
morganfainbergat that point we can evaluate the demand for instance users23:13
kfox1111so lets double check thjat workflow. because we keep hitting "secret to vm to download secrets".23:13
morganfainbergand what needs to be done to make it better. we also will have improved some of how keystone is working (paid down tech debt) that makes some of this stuff easier23:13
bknudsonthe x509 is essentially attribute mapping23:13
morganfainbergbknudson: correct23:13
bknudsonyou could do that in several ways23:13
bknudsone.g., saml23:13
kfox1111how does heat get a secret to the vm in order for it to talk back to heat relyably to get the secrets from it?23:13
bknudson(so why pick x.509 and not something else?)23:14
morganfainbergbknudson: less overhead issuing a cert than building a SAML2 IdP23:14
morganfainbergbknudson: not needing shibboleth/mellon to deconstruct things23:15
morganfainbergbknudson: and we're already doing the work for tokenless service users23:15
bknudsoncome up with your own format.23:15
bknudsonsign a JSON document23:15
*** zzzeek has quit IRC23:15
kfox1111bknudson: I have a prototype of that working in barbican. :)23:15
kfox1111even reuses keystone's pki/z code. :)23:16
morganfainbergbknudson: if you want to do that and go to bat with the corporate security folks i'm all for pointing them all at you ;)23:16
morganfainbergwhen they come and ask me about it23:16
bknudsoncorporate * folks are all about saying no23:17
morganfainbergbknudson: i am also trying to not NIH a new standard way of security communicating these attributes23:17
morganfainbergbknudson: same reason i pushed so hard to make k2k use SAML23:17
morganfainbergit's politically an easier sell to corp * types23:17
morganfainbergand eases adoption23:17
bknudsonshould have pushed k2k to use x.50923:17
bknudson... wondering why pushing x.509 here and saml elsewhere23:17
*** henrynash has quit IRC23:17
morganfainbergbecause its a lot more work to setup k2k type federation23:18
morganfainbergand the workflows are more complex23:18
*** ekarlso has quit IRC23:18
*** ekarlso has joined #openstack-keystone23:18
kfox1111so in the heat managing secrets for vm's, how does heat get a secret to the vm so that it can download secrets? Especially in light that they want to support zaqar with their guest agent some day soon?23:19
morganfainbergsaml was used in the k2k because it really is an SP/IdP relationship23:19
morganfainbergbut sure we could do saml between nova and ekystone for the vm users23:19
Lactemmorganfainberg: I'm going to leave soon. Would you mind commenting on the gist? I won't see an IRC message.23:19
morganfainbergLactem: sure i'll comment @ the gist23:19
morganfainbergLactem: sorry.23:19
LactemThank you.23:20
LactemTake your time.23:20
morganfainbergLactem: for the delay23:20
LactemHappy Friday!23:20
LactemWait are you doing it right now?23:20
morganfainbergLactem: no still in this convo here23:20
LactemOkay I'll leave then. See you later.23:20
*** Lactem has quit IRC23:20
*** gyee has quit IRC23:21
morganfainbergkfox1111: so lets take a big issue off the table23:21
kfox1111having an instance user solves both cases for heat. it can use the same instance user to run the guest angent, and pull the secrets from barbican.23:21
kfox1111ok.23:21
morganfainbergkfox1111: i lost my train of thought...crap23:21
morganfainbergnoidea what iw as going to type next23:21
morganfainberg:P23:21
kfox1111sry. :/23:21
morganfainbergnot your fault23:22
morganfainbergits my brain23:22
kfox1111we were disussing making heat deal with secrets directly. something about that?23:23
morganfainbergkfox1111: yeah no idea it's lost23:23
kfox1111k.23:23
morganfainbergkfox1111: so explain/link me the amazon flow23:23
morganfainbergfor the intance user23:23
kfox1111ok. so they have IAM.23:24
morganfainbergi know iam, assume i've worked with aws before ;)23:24
morganfainbergjust not with the instance users23:24
*** pballand has quit IRC23:24
morganfainberg(i did in a past job)23:24
kfox1111a user can create a document saying something like I want to delegate acces to these specific roles/resources.23:24
kfox1111they register that document with keystone basically.23:25
kfox1111then:23:25
kfox1111aws ec2 run-instances --iam-instance-profile role_name23:25
*** lhcheng has joined #openstack-keystone23:25
*** ChanServ sets mode: +v lhcheng23:25
kfox1111where profile_name there is that document handle.23:25
kfox1111the vm gets launched.23:26
kfox1111the vm can then:23:26
kfox1111curl http://169.254.169.254/latest/meta-data/iam/security-credentials/role_name23:26
morganfainbergwhat prevents $instance from getting $other_instance_cred23:26
kfox1111they get back basically a scoped token for the role.23:26
morganfainbergis this magic inside aws somewhere?23:26
kfox1111the metadata server handles authentication between it and the vm.23:26
*** _cjones_ has quit IRC23:27
kfox1111thats part of the magic of the md server.23:27
kfox1111same with nova's.23:27
*** dramakri has quit IRC23:27
morganfainbergok so this is still boiling down to "make md server acceptible and used everywherE"23:27
morganfainbergif that happens you have an easier case to work between nova and keystone23:27
morganfainbergbut since MD is not everywhere and/or is broken in a lot of places23:27
* kfox1111 nods.23:27
*** dramakri has joined #openstack-keystone23:27
kfox1111if I can get 80% of the deployments working I'd be happy with that. :/23:28
kfox1111there's only so much I can do.23:28
morganfainbergbug hogepodge and figure out how to make it a defcore thing :P23:28
kfox1111the problem I have with using config drive is its static.23:28
* morganfainberg didn't say that too loudly i hope23:28
kfox1111no way to refresh a certificate or something there.23:28
morganfainbergkfox1111: so assume you need the degenerate case of static23:28
kfox1111thats on my list. ;)23:28
morganfainbergand you can't refresh23:28
morganfainbergor you need something + config drive23:29
kfox1111I cant think of a way to make the config drive case work with a vm that's mothballed for a month or a year.23:29
morganfainbergor you need md everywhere23:29
kfox1111eventually a cert passed through it will expire.23:29
morganfainbergif someone waits that long23:29
kfox1111and it wont have a valid cert to request a new one. :/23:29
morganfainbergthey can spin a new vm23:29
kfox1111as much as I like cattle,23:29
kfox1111pets are way to common. :/23:30
morganfainbergyou can't solve everyone's cases23:30
morganfainbergsolve for 80% of the real world23:30
morganfainbergwho is going to mothball for a year+23:30
kfox1111yeah. so which one's more common, pets, or people who don't trust the md server?23:30
morganfainbergpeople who don't trust the md server23:30
morganfainbergin the context of what you're working on23:30
kfox1111are there metrics fro that? truely curious.23:30
morganfainbergyou're working on a premise of cattle23:30
morganfainbergtherefore pets are the outlier23:31
kfox1111true. but I think instances that dont trust the md server are more rare.23:31
morganfainbergthe bigger issue is you're fighting some places use CD and someplaces use MD but it timesout23:31
morganfainbergand some places have hacked up MD to be hack-y23:31
kfox1111yeah.23:31
*** pballand has joined #openstack-keystone23:31
morganfainbergso don't solve the pet case here23:31
kfox1111thats why I almsot think its better to come up with a whole new md server just for this. :/23:32
morganfainbergif you re-write MD to be smarter/better/faster/stronger/daft punk/something else23:32
morganfainbergand focus on making it so that config drive *isnt* a better option23:32
morganfainbergthis becomes easier.23:33
morganfainbergif you wedge this functionality into the MD server today - you get something that is equally half baked23:33
kfox1111but,23:33
morganfainbergi think you need to do both things and the case is instance users23:33
morganfainbergi'm telling you, from experience i wouldn;t run metadata server in my cloud23:33
morganfainbergperiod23:33
kfox1111if their users need the catalog and it isnt supported in their cloud, ops myight switch / invest in making md better.23:33
morganfainbergif i was deployin openstack, i'd deploy config drive23:34
morganfainbergtoday23:34
kfox1111truely curous, why?23:34
morganfainbergmetadata's implementation is pretty bad23:34
morganfainbergin a scaled environment (minor scale) it timesout23:34
kfox1111I have seen that in the past, but not in the past year.23:35
kfox1111though I don't hit it proably as hard as you.23:35
morganfainbergpast job, hit it pretty darn hard23:35
morganfainberg~40-100 hypervisors23:35
morganfainbergnot excessive scale23:35
morganfainbergconfig drive also has less moving parts23:35
kfox1111I've got about that too.23:35
kfox1111true. the neutron metadata proxy's a kick in the pants. :)23:36
kfox1111but the one advantage is its dynamic. config drive's static. :/23:36
morganfainbergi'd rather have metadata from a user/consumer perspective23:36
morganfainbergi take static and bombproof23:36
morganfainbergto dynamic and crashy23:36
morganfainbergor dyanmic and not-as-stable23:36
morganfainbergless customer calls23:36
morganfainbergless overhead23:37
kfox1111fair. but like most things http, should it just retry a few times? :)23:37
kfox1111true.23:37
kfox1111so... is there another option we're missing?23:37
kfox1111config drive like but not?23:37
morganfainbergdoor #323:37
morganfainbergconfig drive does the stuff metadata does poorly23:37
morganfainbergmetadata does the stuff config drive does poorly23:38
morganfainbergor door #423:38
kfox1111an intance user cert config drive?23:38
morganfainbergmicroservice that is like metadata but only does instance-users23:38
kfox1111when it needs refereshing, nova unplugs rebuilds, replugs?23:38
morganfainbergi can't answer the right approach23:38
morganfainbergbut if you like the amazon model, get MD to be the required lot.23:39
kfox1111nova compute generates the cert, registeres it with barbican.23:39
kfox1111amazon just happend to implement it in roughly the same way I thought of solving it, independently.23:39
morganfainbergwe can figure out the best way to source per-vm-users in keystone, but the easiest wayt to do that is x509 per instance23:40
kfox1111That has some apeal to me to continue dowh that path since it works at scale for them.23:40
morganfainbergand quickest-to-success route is that23:40
kfox1111yeah. I'll write the spec up with that.23:40
morganfainbergbut it has some cons, and it doesn't work 100% like you'd expect because keystone wasn't designed with this in mind23:40
kfox1111I'm basically redoing everything else. :/23:40
morganfainberganything that is more APIs - it's going to be further out than liberty (meaning N release is likely when you can consume it)23:41
morganfainbergon the keystone side that is23:41
morganfainbergor O release if it's really compelx23:41
kfox1111yeah.23:41
kfox1111understood. thats why I only care about coming up with a very simple api from the users perspective,23:42
kfox1111and let us find a good solution long term to the rest.23:42
bknudsonthe big-O release is going to be all about scalability23:42
morganfainbergx509 or other IdP like secure mechanism that hooks into what we have today23:42
bknudsoncomputer science joke23:42
morganfainbergis a good bet23:42
kfox1111curl 169.254.169.254/openstack/latetst/token  and the rest is deatails we can always change later.23:42
kfox1111bknudson: :)23:42
morganfainbergbknudson: the O(n) release?23:43
morganfainbergbknudson:  ;)23:43
kfox1111initial implementation with ca should be easy and scale pretty well.23:43
kfox1111passing the cert to the user does handle the config drive case, and your right, maybe the non pet case is good enough.23:44
morganfainbergkfox1111: don't try and solve the pet case right away23:44
morganfainbergkfox1111: your premise is starting from cattle23:44
kfox1111but it ties our hands to ca x509 /keystone forever.23:44
kfox1111because that's then part of the API.23:44
kfox1111do you believe that will be good enough forever?23:45
morganfainbergkfox1111: maybe the API should be "authentication credentials and metadata about how to auth"23:45
morganfainbergin the spec23:45
morganfainbergso you can make it typed23:45
morganfainberg{ 'instance_user_authn': { 'type': 'x509', ....}23:46
*** ankita_wagh has quit IRC23:46
kfox1111hmm... yeah.23:46
kfox1111but the keystone endpoint given would have to take that document no matter what was in it.23:46
morganfainberggive yourself enough flexibility, but be opinionated about the goals23:46
kfox1111well...23:46
morganfainbergkfox1111: also let it specify the authentication endpoint ;)23:46
kfox1111the keystone url handed back can be scoped to that type of auth...23:47
kfox1111yeah.23:47
morganfainbergby opinionated i mean: we are providing you with the type of authentication, the url, and x,y,z things"23:47
kfox1111ok. yeah.23:47
morganfainbergdon't make it "you can turn 40,000 knobs to make it better/different"23:47
kfox1111it does require the vm to be smarter, but probably ok...23:47
morganfainbergsure.23:48
morganfainbergyou can present the same exact data via MD if you want23:48
* kfox1111 grumbles about still maintaining centos 6 images....23:48
morganfainbergthe difference is authn: "keystone token"23:48
morganfainbergis the type23:48
morganfainbergor something23:48
morganfainbergso you have options here.23:49
kfox1111with the prevouls spec, we were just going to do a json document with url and such, and a binary blob for cert, or whatever.23:49
morganfainbergsure23:49
kfox1111I think that would probably still wrok.23:49
morganfainbergjust add a little more syntax to allow future iteration w/o API contract break23:49
morganfainbergdon't make it too many knobs23:49
morganfainbergjust future proof yourself23:49
kfox1111yeah. put the type in the json doc, and then if the client doesn't support it, it just throws an error.23:49
morganfainbergyep23:50
kfox1111if it does, it can select the right mechanism, and then fetch a token.23:50
morganfainbergcorrect23:50
kfox1111It still feels odd to push the abstraction all the way out to the vm :/23:50
morganfainbergmaybe the metadata form is "ask metadata at url X for token"23:50
kfox1111means you have to write that tricky logic for many operating systems. :/23:50
morganfainbergso it's <metadata addr>/openstack/instance_user/token23:50
morganfainbergand it's type is "metadata_proxy"23:51
morganfainbergor something23:51
kfox1111right.23:51
*** tqtran has quit IRC23:51
kfox1111then that part should probably be made plugable in the nova metadata server...23:51
kfox1111which they will love... :/23:51
morganfainbergstart with the basic fixed form23:52
morganfainbergreally23:52
morganfainbergjust let the API syntax not lock you in23:52
kfox1111fair engouh. don't bother them with that. we can always add it later if need be.23:52
kfox1111right.23:52
openstackgerritNathan Jewell proposed openstack/keystone: Saves output of run_tests.sh to .log file  https://review.openstack.org/19628523:52
morganfainbergit is much easier to add pluggability than to change an API23:53
morganfainbergcontract23:53
kfox1111true.23:53
kfox1111in fact.....23:53
morganfainbergand you may never need to make it pluggable23:53
kfox1111if some day they agree to make everything just be the metadata server,23:53
kfox1111then the binary blob can just be a token, and the auth_type can be "direct"23:53
morganfainbergand as a transition you could even do a configdrive -> type metadata request23:54
kfox1111yeah..... really liking that idea.23:54
morganfainbergnow.23:54
*** dramakri has quit IRC23:54
morganfainbergclearly define the scope (this is x509 now)23:54
morganfainbergor some such23:54
kfox1111right.23:55
morganfainbergdon't leave the door open for it to be everybody's special auth mech23:55
*** packet has quit IRC23:55
morganfainbergyou can always add more type definitions23:55
morganfainbergbut each auth type should be specifically and clearly defined23:55
morganfainbergso maybe you have x509 and direct to start23:55
kfox1111right. only one today. x509 cert.23:55
morganfainbergor whatever you want to call it23:55
morganfainberglike i said, be opinionated to the right degree23:56
morganfainberg:)23:56
kfox1111I'd rather not complicate it further. too much potential for bike shedding. :/23:56
morganfainbergless to bikeshed on that way23:56
kfox1111yup.23:56
morganfainbergbut you can clearly define future types23:57
morganfainbergand the initial step works for both configdrive and metadata23:57
kfox1111yeah.23:57
morganfainberg*and* doesn't try to solve pet cases to start - to be honest, most pets will use traditional CMS23:57
kfox1111true.23:58
morganfainbergthey aren't going to autoscale a pet23:58
kfox1111true too.23:58
kfox1111though I do run in to some of our production systems where certs expire because fetch-crl or whatever doesn't run and refresh things.23:58
*** raildo has quit IRC23:58
kfox1111so I am a bit sensitive to things expiring and giving me a bad day. :/23:59
kfox1111pets tend to have that problem. :/23:59
« Thursday, 2015-06-25 Index Saturday, 2015-06-27 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!