Monday, 2016-12-19

« Sunday, 2016-12-18 Index Tuesday, 2016-12-20 »
*** guoshan has joined #openstack-keystone00:26
*** guoshan has quit IRC00:31
*** guoshan has joined #openstack-keystone00:44
*** edmondsw has joined #openstack-keystone00:58
*** hoangcx has joined #openstack-keystone00:59
*** edmondsw has quit IRC01:03
*** guoshan has quit IRC01:03
*** tqtran has joined #openstack-keystone01:10
*** tqtran has quit IRC01:14
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: re-work inference rule manager  https://review.openstack.org/41223601:19
*** zhangjl has joined #openstack-keystone01:22
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: re-work inference rule manager  https://review.openstack.org/41223601:22
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: re-work inference rule bindings  https://review.openstack.org/41223601:26
*** liujiong has joined #openstack-keystone01:30
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: re-work inference rule bindings  https://review.openstack.org/41223601:32
jamielennoxstevemar: why do you dredge up old horrors?01:35
stevemarjamielennox: because i thought i was going to fix an easy bug01:36
stevemarjamielennox: AFAICT only 'create' and 'list all inferences' work01:38
*** guoshan has joined #openstack-keystone01:41
*** trananhkma has joined #openstack-keystone01:46
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: re-work inference rule bindings  https://review.openstack.org/41223602:08
jamielennoxstevemar: -1ed it, in general i'm fine, but i expect people are using create02:17
jamielennoxif only adam02:17
jamielennoxit's a really easy compat though02:18
jamielennoxput a debtcollector wrapper on the function02:18
jamielennoxreturn InferenceRuleManager(self._adapter).create(prior, implied002:19
jamielennoxreturn InferenceRuleManager(self._adapter).create(prior, implied)02:19
jamielennoxoh, except it's creating a Role object?02:19
jamielennoxwtf02:19
jamielennoxyea, i don't care about that, that's just wrong02:20
*** asettle has joined #openstack-keystone02:22
stevemarjamielennox: so im having trouble interpreting your back and forth02:26
stevemarjamielennox: is that leave it alone, or use the debtcollector02:26
*** asettle has quit IRC02:26
jamielennoxstevemar: i would redirect it to the new function and let debtcollector do the deprecation02:27
stevemarjamielennox: coolio02:27
*** catintheroof has quit IRC02:28
*** catintheroof has joined #openstack-keystone02:30
stevemarjamielennox: i'll just add it to all of them02:30
stevemarand make them proxy the new stuff02:30
stevemarthe returned content might be different, Role vs RuleInference02:31
*** catintheroof has quit IRC02:34
jamielennoxthe resource objects are pretty dumb, that should be fine02:35
jamielennoxup to you, the existing stuff is actually broken so there's not a compat issue, but it might be less confusing02:35
stevemarjamielennox: may as well proxy them all02:38
stevemarjamielennox: easy to test these out?02:39
stevemar(if debtcollector.removals actually kicked in)02:41
jamielennoxstevemar: are you asking how to test it?02:55
stevemarjamielennox: incoming paste, 1 sec02:57
stevemarjamielennox: http://paste.openstack.org/show/592750/02:57
jamielennoxoh, it doesn't store there/02:58
stevemar    @removals.remove(message='Use %s.create instead.' % deprecation_msg,02:58
stevemar                     version='3.9.0', removal_version='4.0.0')02:58
stevemar    def create_implied(self, prior_role, implied_role, **kwargs):02:58
stevemar        return InferenceRuleManager(self._adapter).create(prior_role,02:58
stevemar                                                          implied_role)02:58
stevemar(sorry for the spam)02:58
jamielennoxstevemar: use self.client02:58
jamielennoxit's not actually the client object, it's the adapter03:00
stevemarjamielennox: ok, got through that, but unable to verify the returned content of the call03:02
stevemarthe test always stops when a deprecated function is used03:02
stevemarI thoght adding the filterwarnings would help :)03:02
jamielennoxstevemar: the tests fail because of the warning?03:03
jamielennoxthere is a expect deprecations function there somewhere03:04
stevemarif should be in test/utils :)03:06
*** gagehugo has quit IRC03:07
jamielennoxi think it's a fixture, i can't remembe03:07
*** gagehugo has joined #openstack-keystone03:08
stevemarwith self.deprecations.expect_deprecations_here():03:08
stevemarjamielennox: ^03:09
*** liujiong_66 has joined #openstack-keystone03:09
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: re-work inference rule bindings  https://review.openstack.org/41223603:10
*** Nakato has quit IRC03:10
*** Nakato has joined #openstack-keystone03:10
*** liujiong has quit IRC03:10
*** tqtran has joined #openstack-keystone03:11
stevemarshould be good now03:12
*** tqtran has quit IRC03:16
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: re-work inference rule bindings  https://review.openstack.org/41223603:16
stevemarok, now pep8 passes :)03:16
*** ngupta has joined #openstack-keystone03:19
*** frickler_ has joined #openstack-keystone03:20
*** frickler has quit IRC03:21
*** udesale has joined #openstack-keystone03:22
*** ngupta has quit IRC03:24
*** ngupta has joined #openstack-keystone03:35
openstackgerritShan Guo proposed openstack/keystone: [api] set `is_admin_project` on tokens for admin project  https://review.openstack.org/40967803:36
*** zhangqiankun has quit IRC03:43
*** zhangqiankun has joined #openstack-keystone03:43
*** nkinder has quit IRC03:50
*** nicolasbock has joined #openstack-keystone03:53
*** ngupta has quit IRC04:12
*** tqtran has joined #openstack-keystone04:12
*** ngupta has joined #openstack-keystone04:13
*** tqtran has quit IRC04:17
*** ngupta has quit IRC04:17
*** edmondsw has joined #openstack-keystone04:34
*** edmondsw has quit IRC04:38
*** adriant has quit IRC04:43
*** nicolasbock has quit IRC04:43
*** guoshan has quit IRC04:55
*** guoshan has joined #openstack-keystone05:20
*** guoshan has quit IRC05:30
*** guoshan has joined #openstack-keystone05:49
*** jaosorior has joined #openstack-keystone06:06
*** tqtran has joined #openstack-keystone06:14
*** tqtran has quit IRC06:19
*** asettle has joined #openstack-keystone06:23
openstackgerrityunfeng zhou proposed openstack/keystone: fix one typo.  https://review.openstack.org/41229806:24
*** asettle has quit IRC06:27
*** enginy has joined #openstack-keystone06:31
*** enginy has quit IRC06:34
*** enginy has joined #openstack-keystone06:35
*** enginy has quit IRC06:36
*** qwertyco has joined #openstack-keystone06:36
*** liujiong_66 is now known as liujiong06:53
openstackgerritShan Guo proposed openstack/keystone: Fix typo in doc  https://review.openstack.org/41231306:55
*** tesseract has joined #openstack-keystone07:04
*** tesseract is now known as Guest3325407:05
*** tobberydberg has joined #openstack-keystone07:07
*** zhangqiankun has quit IRC07:28
*** chrisplo_ has joined #openstack-keystone07:31
*** pcaruana has joined #openstack-keystone07:33
*** zhangqiankun has joined #openstack-keystone07:45
*** tobberyd_ has joined #openstack-keystone07:56
*** jaosorior has quit IRC07:58
*** tobberydberg has quit IRC07:59
*** edmondsw has joined #openstack-keystone08:10
*** edmondsw has quit IRC08:14
*** jaosorior has joined #openstack-keystone08:24
*** qwertyco has quit IRC08:24
*** qwertyco has joined #openstack-keystone08:36
*** masber has joined #openstack-keystone08:39
*** martinus__ has joined #openstack-keystone08:41
*** zhangqiankun has quit IRC08:42
*** chrisplo_ has quit IRC08:43
*** zhangqiankun has joined #openstack-keystone08:43
*** jaosorior has quit IRC08:45
*** jaosorior has joined #openstack-keystone08:46
*** rdo has quit IRC08:54
*** zzzeek has quit IRC09:00
*** zzzeek has joined #openstack-keystone09:01
*** qwertyco has quit IRC09:06
*** tobberyd_ has quit IRC09:13
*** tobberydberg has joined #openstack-keystone09:14
*** tqtran has joined #openstack-keystone09:16
*** tqtran has quit IRC09:21
*** asettle has joined #openstack-keystone09:23
*** asettle has quit IRC09:28
*** asettle has joined #openstack-keystone09:32
openstackgerritJulia Varlamova proposed openstack/keystone: Change DevStack plugin to setup multi-Keystone  https://review.openstack.org/39947209:36
*** rdo has joined #openstack-keystone09:38
*** frickler_ is now known as frickler09:44
*** Adri2000 has quit IRC09:54
*** tqtran has joined #openstack-keystone10:17
*** trananhkma has quit IRC10:20
*** tqtran has quit IRC10:22
*** liujiong has quit IRC10:22
*** guoshan has quit IRC10:33
*** hoangcx has quit IRC10:38
*** udesale has quit IRC10:58
*** amoralej is now known as amoralej|brb11:05
*** asettle has quit IRC11:05
*** asettle has joined #openstack-keystone11:09
*** asettle has quit IRC11:17
*** guoshan has joined #openstack-keystone11:23
*** dave-mccowan has joined #openstack-keystone11:26
*** jefrite has joined #openstack-keystone11:32
*** Dave has quit IRC11:33
*** nicolasbock has joined #openstack-keystone11:38
*** Dave has joined #openstack-keystone11:45
*** guoshan has quit IRC11:45
*** dave-mcc_ has joined #openstack-keystone11:45
*** guoshan has joined #openstack-keystone11:46
*** edmondsw has joined #openstack-keystone11:46
openstackgerritJulia Varlamova proposed openstack/keystone: Change DevStack plugin to setup multi-Keystone  https://review.openstack.org/39947211:47
*** guoshan has quit IRC11:47
*** guoshan has joined #openstack-keystone11:47
*** dave-mccowan has quit IRC11:48
*** edmondsw has quit IRC11:50
*** guoshan has quit IRC12:06
*** zhangjl has left #openstack-keystone12:11
*** raildo has joined #openstack-keystone12:13
*** amoralej|brb is now known as amoralej12:15
*** guoshan has joined #openstack-keystone12:16
*** catintheroof has joined #openstack-keystone12:18
*** dave-mcc_ has quit IRC12:18
openstackgerritJulia Varlamova proposed openstack/keystone: Change DevStack plugin to setup multi-Keystone  https://review.openstack.org/39947212:18
*** iurygregory has joined #openstack-keystone12:29
*** flaper87 has joined #openstack-keystone12:45
*** guoshan has quit IRC12:47
*** guoshan has joined #openstack-keystone13:01
*** lamt has quit IRC13:12
*** tqtran has joined #openstack-keystone13:19
*** asettle has joined #openstack-keystone13:22
*** tqtran has quit IRC13:24
*** guoshan has quit IRC13:26
*** guoshan has joined #openstack-keystone13:39
*** erhudy has joined #openstack-keystone13:45
*** clenimar has joined #openstack-keystone13:46
*** guoshan has quit IRC13:58
openstackgerritMerged openstack/keystone: fix one typo.  https://review.openstack.org/41229814:09
rodrigodshey, i have some testing patches that would be great to see landing prior holidays :)14:09
rodrigodshttps://review.openstack.org/#/c/410205/ and https://review.openstack.org/#/c/324769/14:09
*** amoralej is now known as amoralej|lunch14:10
*** lamt has joined #openstack-keystone14:11
*** chlong has joined #openstack-keystone14:14
lbragstadrodrigods i can add those to my review queue14:33
rodrigodslbragstad, would be great :)14:37
*** jamielennox is now known as jamielennox|away14:56
*** amoralej|lunch is now known as amoralej14:56
*** adrian_otto has joined #openstack-keystone14:58
*** adrian_otto has quit IRC15:03
*** mbeierl has left #openstack-keystone15:05
*** sshen has quit IRC15:19
*** jaugustine has joined #openstack-keystone15:22
*** amac has joined #openstack-keystone15:23
amacHi, folks -- newb question about getting Keystone (Newton) to work with LDAP/AD. Is this the right place?15:24
lbragstadamac yep - it should be15:27
lbragstadamac we have a few ldap folks in the channel (but i'm not sure if they are on vacation already)15:28
lbragstadcrinkle mfisch ayoung dstanek just to name a few15:28
amacThat's great! I'll stay on, and dump some information about what I'm looking for in case we're on asynchronously.15:29
lbragstadamac ++15:30
openstackgerritRon De Rose proposed openstack/keystone: WIP - Add domain_id to the user table  https://review.openstack.org/40987415:31
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Just a test with python3  https://review.openstack.org/41250015:31
ayoungThere are AD specific docs out there, too15:32
lbragstadayoung good point15:32
lbragstadhere is one - https://wiki.openstack.org/wiki/HowtoIntegrateKeystonewithAD15:33
dstanekamac: just ask away and someone will eventually answer if they know how to help15:35
knikollao/15:44
amacThanks, lbragstad -- The docs are interesting. One question -- Is the driver = keystone.identity.backends.ldap.Identity still valid? The newest git version of the docs mentions driver = ldap15:53
amacOK -- here's what I am trying to do and what I have done.15:53
amacI'm at Univ. of Virginia, trying to get the existing (and involute) AD system to talk to Keystone.15:54
amacI have the basic setup done and communicating -- it authenticates and binds. When I do something like "open stack user list" or "open stack token issue", however, I get the following:15:54
amacThe request you have made requires authentication. (HTTP 401) (Request-ID: req-52cd179b-599c-4c1e-8337-59db7da88bf2)15:55
ayoungamac driver = ldap  is the new hotness15:55
ayoungthe other was doing a full path, now we go by entrypoints15:55
amacGreat. Glad I'm on track.15:55
amacNow, we go through the basic auth OK -- I am getting LDAP communication indicated in the logs. I used wireshark to see what was actually being passed, and I get this:15:56
amac 9 0.100119728 172.16.239.131 -> 128.143.33.140 LDAP 237 searchRequest(7) "cn=Users,dc=eservices,dc=virginia,dc=edu" wholeSubtree15:56
amac 13 0.108524508 128.143.33.140 -> 172.16.239.131 LDAP 258 searchResEntry(7) "CN=ars9ac,CN=Users,DC=eservices,DC=virginia,DC=edu"  | searchResDone(7) success15:56
amac 19 0.113703514 172.16.239.131 -> 128.143.33.140 LDAP 221 searchRequest(8) "cn=Users,dc=eservices,dc=virginia,dc=edu" wholeSubtree15:56
amac 26 0.118226237 128.143.33.140 -> 172.16.239.131 LDAP 258 searchResEntry(8) "CN=ars9ac,CN=Users,DC=eservices,DC=virginia,DC=edu"  | searchResDone(8) success15:56
amac 31 0.118735800 172.16.239.131 -> 128.143.33.140 LDAP 61 unbindRequest(2)15:56
amac 45 0.136929751 172.16.239.131 -> 128.143.33.140 LDAP 138 bindRequest(1) "CN=ars9ac,CN=Users,DC=eservices,DC=virginia,DC=edu" simple15:56
amac 49 0.143571158 128.143.33.140 -> 172.16.239.131 LDAP 76 bindResponse(1) success15:56
amac 54 0.170426707 172.16.239.131 -> 128.143.33.140 LDAP 221 searchRequest(9) "cn=Users,dc=eservices,dc=virginia,dc=edu" wholeSubtree15:56
amac 60 0.175197412 128.143.33.140 -> 172.16.239.131 LDAP 258 searchResEntry(9) "CN=ars9ac,CN=Users,DC=eservices,DC=virginia,DC=edu"  | searchResDone(9) success15:56
amac 66 0.203281605 172.16.239.131 -> 128.143.33.140 LDAP 221 searchRequest(10) "cn=Users,dc=eservices,dc=virginia,dc=edu" wholeSubtree15:57
amac 72 0.207949448 128.143.33.140 -> 172.16.239.131 LDAP 258 searchResEntry(10) "CN=ars9ac,CN=Users,DC=eservices,DC=virginia,DC=edu"  | searchResDone(10) success15:57
amac 86 0.220894366 172.16.239.131 -> 128.143.33.140 LDAP 236 searchRequest(11) "OU=MyGroups,dc=eservices,dc=virginia,dc=edu" wholeSubtree15:57
amac 91 0.228672914 128.143.33.140 -> 172.16.239.131 LDAP 1428 searchResEntry(11) "CN=gaussian,OU=MyGroups,DC=eservices,DC=virginia,DC=edu"  | searchResEntry(11) "CN=its-all-access,OU=ServiceNow,OU=MyGroups,DC=eservices,DC=virginia,DC=edu"  | searchResEntry(11) "CN=SN_ITS-ITIL-Role,OU=MyGroups,DC=eservices,DC=virginia,DC=edu"  | searchResEntry(11) "CN=hpc_admin,OU=MyGroups,DC=eservices,DC=virginia,DC=edu"  | searchResEntry(11) "CN=hpc_vendor,OU=MyGroup15:57
amacs,DC=eservices,DC=virginia,DC=edu"  | searchResEntry(11) "CN=ivyadmin,OU=Ivy,OU=MyGroups,DC=eservices,DC=virginia,DC=edu"  | searchResEntry(11) "CN=hpc_build,OU=MyGroups,DC=eservices,DC=virginia,DC=edu"  | searchResEntry(11) "CN=Orourke-lab-data,OU=MyGroups,DC=eservices,DC=virgini15:57
amacThat last block is just a listing of the groups of which I am a member. That's good -- but has little to do with a user list or authenticating to get a token.15:57
amacI'm stymied at this point -- what am I missing?15:57
amacI can also dump some logs/configs on you, if that's useful.15:58
*** mvk has quit IRC16:00
ayoungamac, so, in the future if you have a load of log data etc to share, use paste.16:00
ayounghttp://paste.openstack.org/16:00
amacThanks for the tip. :)16:00
ayoungthere are a handful of queries that happen when a user authenticates16:00
ayoungfirst the keystone server users the userid and password to do a simple bind in order to authenticate the user16:01
ayoungthis is a security disaster that I hate, and it is so common as to be pathetic16:01
ayounglets move on16:01
ayoungthe rest of the queries are performed by the configured admin user for LDAP, which can be a simple bind16:02
ayounger16:02
amacOn that -- I have a different auth account to do that initial bind16:02
ayoungwhich can be an anonymous bind I should say16:02
amacand then I use my user account for the rest... I think16:02
ayoungamac, nope16:02
*** Guest33254 has quit IRC16:02
*** phalmos has joined #openstack-keystone16:02
ayounglets say there are 2 users involved here16:02
ayoung1. is the human being with the username and password passed in the keystone token request16:03
ayoung2. is a service account set in the keystone config file16:03
ayoungthe initial bind is done as the human16:03
*** hugokuo has quit IRC16:03
ayoungthe rest is done based on the config option here: http://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone.conf.sample#n107316:04
*** ravelar has joined #openstack-keystone16:04
*** tobberyd_ has joined #openstack-keystone16:04
ayoung "CN=ars9ac,CN=Users,DC=eservices,DC=virginia,DC=edu"16:04
ayoungamac, so is ars9ac  the human or the configured service user in your case?16:05
ayoungI'm guessing the human16:05
amacYes. The service account is what I have set up in the keystone.conf [ldap] section under "user"16:05
amacIt's the one that16:06
amacis allowed to use the private LDAP server.16:06
amacNow, to be sure I understand -- I'm trying to authenticate user #1 with the access afforded by #2, correct?16:06
*** tobberydberg has quit IRC16:07
ayoungnot quite16:07
*** agrebennikov has joined #openstack-keystone16:07
amacI ran into the anonymous bind issue, by the way (disallowed) and set chase_referrals = 016:07
*** jlopezgu has quit IRC16:07
*** edmondsw has joined #openstack-keystone16:08
ayoungthe authentication happens using a simple bind with the original users account.  The rest is getting information about the user to populate the token16:08
*** edmondsw has quit IRC16:08
ayoungso the service user does a bunch of queries16:08
*** edmondsw has joined #openstack-keystone16:08
ayoungin the subtree  "cn=Users,dc=eservices,dc=virginia,dc=edu"  is should find the user objects that match the search criteria for your user:16:08
ayoungCN==ars9ac  or so it appears16:09
*** hugokuo has joined #openstack-keystone16:09
*** tobberyd_ has quit IRC16:09
ayoungthen it lists groups for that user16:09
amacSounds like what I'm seeing.16:10
ayoungYep16:10
ayoungand then based on the userid and the groups, Keystone will look up role assignments for the user16:10
amacAnd that's where the auth fails. What is it looking for?16:12
*** edmondsw has quit IRC16:12
*** edmondsw has joined #openstack-keystone16:12
*** jlopezgu has joined #openstack-keystone16:12
ayoungamac, a role assignment is a record that links a user or group to a project, annotated by a role, usually either `admin` or '_member_'16:14
*** pcaruana has quit IRC16:15
*** diazjf has joined #openstack-keystone16:15
ayoungwith SQL, there was an option to have a default project for a user, and an authentication request would look for the value for that project to find the roles.16:15
ayoungBut LDAP does not have a way to store that valude16:15
ayoungvalue16:15
ayoungso you need to request token scoped to a project explicitly when using LDAP16:16
amacaha. Can I use the project "default" (as still defined in SQL) or do I need to be matching a project somehow defined in AD/LDAP?16:16
ayoungwhen executing via the CLI, this is using the OS_PROJECT_ID env variable, or a combination of OS_PROJECT_DOMAIN_ID/OS_PROJECT_DOMAIN_NAME  and the OS_PROJECT_NAME variables16:16
*** phalmos has quit IRC16:17
ayoungany viable project in your database is a viable target for a role assignment16:17
*** tqtran has joined #openstack-keystone16:21
amacSo in doing that for all of the projects listed in mysql (for example, user list --project admin), I get similar behavior. Other tries were Default, default, service and demo, as well as some of the groups on the LDAP side.16:24
*** browne has joined #openstack-keystone16:24
amacAm I misunderstanding what a project constitutes?16:24
*** tqtran has quit IRC16:26
amacOK -- for reference, here's the log of my most recent query: http://paste.openstack.org/show/592808/16:30
amacand config file (sanitized for passwords): http://paste.openstack.org/show/592807/16:31
*** edmondsw has quit IRC16:39
*** edmondsw has joined #openstack-keystone16:40
*** edmondsw has quit IRC16:41
*** edmondsw has joined #openstack-keystone16:42
openstackgerritRon De Rose proposed openstack/keystone: WIP - Add domain_id to the user table  https://review.openstack.org/40987416:47
*** edmondsw has quit IRC16:47
*** jaosorior has quit IRC16:48
*** edmondsw has joined #openstack-keystone16:48
*** jaosorior has joined #openstack-keystone16:48
*** edmondsw has quit IRC16:52
*** Zer0Byte__ has joined #openstack-keystone17:17
*** phalmos has joined #openstack-keystone17:21
*** phalmos has quit IRC17:32
*** nicolasbock has quit IRC17:43
*** nicolasbock has joined #openstack-keystone17:48
lbragstadI have a couple stable/mitaka reviews up for grabs if anyone is interested in reviewing them https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:stable/mitaka+topic:bug/164780017:50
*** tqtran has joined #openstack-keystone17:53
*** chris_hultin|AWA is now known as chris_hultin18:01
ayoungonce a spec is approvced, where does it show up in the public web?18:02
stevemarayoung: http://specs.openstack.org/openstack/keystone-specs/18:04
ayoungstevemar, thanks18:04
erhudyamac: we ended up using LDAP for user authentication but storing projects locally rather than trying to map them into our AD schema18:13
erhudythere was some impedance mismatch the nature of which i no longer recall, but it ended up being easier to write a script that trawled a particular OU in AD and inserted projects into keystone18:14
amacSounds like a good plan. Did you do that by using multiple domains, or can I do that with my initial single-domain setup?18:16
amacI may do something similar.18:16
erhudywhen i started it was keystone v2, we've been migrating clusters to liberty and v3 but sticking to a single-domain setup for now18:16
erhudyso at present we operate entirely in the default domain18:17
amacGreat. I'll be using domains eventually, but trying to keep the number of moving parts minimal during the learning process.18:17
stevemaramac: i wrote something up about integrating keystone and ldap a while ago, still applicable: https://developer.ibm.com/opentech/2015/08/14/configuring-keystone-with-ibms-bluepages-ldap/18:17
stevemaramac: don't worry too much about the domain part :)18:17
stevemari promise it's painless18:18
amac:) So pleased to hear it.18:18
*** diazjf has quit IRC18:18
amacI ran across this doc when I was trawling for information -- wasn't sure if it was up to date. I'm pleased to know it's still germane.18:18
amacstevemar I'll dig deeper and see if I can get this moving.18:19
ayoungYou can't store projects in LDAP anymore anyway18:31
amacThat was my impression -- that all modification had to be local.18:45
openstackgerritMerged openstack/keystone: Fix typo in doc  https://review.openstack.org/41231319:03
*** browne has quit IRC19:05
*** david-lyle_ has joined #openstack-keystone19:13
*** openstackstatus has quit IRC19:13
*** david-lyle has quit IRC19:13
*** openstack has joined #openstack-keystone19:13
amacstevemar, thanks for the help with the domains thing. It's behaving at least as well as the single-domain for now. :)19:25
*** diazjf has joined #openstack-keystone19:34
*** chlong has quit IRC19:34
*** chlong has joined #openstack-keystone19:36
stevemaramac: nice19:51
stevemaramac: glad it can help!19:51
*** jaosorior has quit IRC19:52
*** rcernin has joined #openstack-keystone19:56
lbragstadgagehugo you haven't submitted a review addressing the following on comments for https://review.openstack.org/#/c/400882/6 yet - have you?20:00
amacSo I am trying a variety of things to try and get authentication working.  I'm sort of back to where I started -- the query goes and gets all of the relevant information, groups, etc. The user I am trying to authenticate (the OS_USERNAME/OS_PASSWORD) is created in the Keystone/user table in the local MySQL DB. But I hit this authentication issue. There's no LDAP 52e error (bad password). I am using a project/domain combo that are in the MySQL DB.20:01
amacAnd here's the error: keystone.common.wsgi [req-35c7c86e-c72a-4118-aaf5-174b76273e2d - - - - -] Authorization failed. The request you have made requires authentication. from ::120:01
gagehugolbragstad: the 'a' and 'truse' typos? I have not for those20:01
lbragstadgagehugo ok - just checking20:02
gagehugolbragstad I will make sure to fix them in another patch though if that is fine20:03
lbragstadgagehugo absolutely - since that patch is already gating I wouldn't propose another patch set to it20:03
gagehugook20:03
*** breton_ is now known as breton20:04
lbragstadgagehugo i wanted to make sure if there was a patch up fixing those minor comments - I'd review it right away, since its an easy +2 fast following the original patch20:04
amacAnd here are the configs as they stand. http://paste.openstack.org/show/592840/20:06
amacI have made sure that I am using correct project and domain designations, and that they are present in the MySQL DB per ayoung's excellent suggestions.20:07
*** diazjf has quit IRC20:07
ayoungfrom ::1  You doing IPV6?  Cool20:08
ayoung There's no LDAP 52e error (bad password)  is either the simple bind failing20:08
ayoungor the service user20:08
amacNot intentionally. :)20:08
ayoungah..you don't see that...20:08
ayoungmisread20:08
ayoungamac, suggest you use the CLI and do a openstack token issue20:09
ayoungthat will confirm you can get an unscoped token20:09
amacI can do an issue as long as LDAP is not engaged.20:10
amacAnd as long as I am using the "admin" user I created in the setup.20:11
amacUsing ars9ac fails20:11
*** amoralej is now known as amoralej|off20:17
amacIs there a way to turn up the debugging output in the logs for keystone? The only verbose debugging flag I see is in oslo.log, and it's set to be deprecated.20:24
openstackgerritRichard Avelar proposed openstack/keystone: WIP add query for unique_id in list_users  https://review.openstack.org/41260820:24
amacIs there a way to turn up the debugging output in the logs for keystone? The only verbose debugging flag I see is in oslo.log, and it's set to be deprecated.20:26
openstackgerritRichard Avelar proposed openstack/keystone: WIP add query for unique_id in list_users  https://review.openstack.org/41260820:27
openstackgerritRon De Rose proposed openstack/keystone: WIP - Set the domain for federated users  https://review.openstack.org/40833220:30
openstackgerritRon De Rose proposed openstack/keystone: WIP - Set the domain for federated users  https://review.openstack.org/40833220:32
*** adriant has joined #openstack-keystone20:36
openstackgerritRon De Rose proposed openstack/keystone: WIP - Add domain_id to the user table  https://review.openstack.org/40987420:36
openstackgerritRon De Rose proposed openstack/keystone: WIP - Add domain_id to the user table  https://review.openstack.org/40987420:37
lbragstadrderose dstanek do you guys remember that weird case we were hitting when we tried to use freezegun's `tick()` method to advance the time context by hours or days?20:42
*** iurygregory has quit IRC20:42
lbragstadrderose dstanek looks like gagehugo found an interesting work-around for that (see my comment on line 745 https://review.openstack.org/#/c/396752/34/keystone/tests/unit/common/test_notifications.py )20:43
rderoselbragstad: cool, let me take a look20:44
lbragstadrderose i thought our work around for that was just setting really short token validation times - or password expiration times, so that advancing the clock with freezegun would actually work20:45
rderoselbragstad: yeah, was only able o get it to work in seconds; hours or days would hit that strange error20:46
rderosegagehugo: nice!20:47
lbragstadrderose right - i guess the test in gagehugo's patch gets around that specific situation20:47
rderoselbragstad: so you don't tick the time a head; just set it and stop after doing some work20:49
rderoselooks like20:49
gagehugolbragstad rderose freezegun is interesting20:49
gagehugohttps://github.com/spulec/freezegun#moving-time-to-specify-datetime20:49
lbragstadrderose right - for that case just freeze time, do something, then unfreeze20:49
gagehugoI'm pretty sure that's the example I followed when I made that test20:49
rderosegagehugo: sweet!20:50
lbragstadgagehugo so - by unfreezing you're effectively advancing the clock20:50
lbragstadyou could reverse the clock, too I suppose20:51
gagehugolbragstad yes that is how I took it20:51
lbragstadit just depends on what the datetime.timedelta objects is20:51
lbragstadgagehugo nice - that's a cool trick20:52
gagehugolbragstad I have not tried out the tick function yet though20:55
dstaneklbragstad: looking20:56
*** amac has quit IRC20:57
*** jamielennox|away is now known as jamielennox21:04
*** raildo has quit IRC21:10
bretonayoung: are you subscribed to cryptography-dev@python.org?21:31
*** ravelar has quit IRC21:34
*** ravelar has joined #openstack-keystone21:36
*** amac has joined #openstack-keystone21:45
*** browne has joined #openstack-keystone21:53
openstackgerritRon De Rose proposed openstack/keystone: WIP - Add domain_id to the user table  https://review.openstack.org/40987421:57
stevemargagehugo: nice22:01
*** dave-mccowan has joined #openstack-keystone22:11
openstackgerritGage Hugo proposed openstack/keystone: WIP - Allow user to change own expired password  https://review.openstack.org/40402222:11
*** ravelar has quit IRC22:25
*** ravelar has joined #openstack-keystone22:42
*** mvk has joined #openstack-keystone22:51
Zer0Byte__hey someone alive22:53
Zer0Byte__?22:53
Zer0Byte__ OS_PROJECT_DOMAIN_ID is still used on Newton futher versions?22:54
Zer0Byte__mitaka also22:54
Zer0Byte__?22:54
*** ravelar has quit IRC23:04
*** ravelar has joined #openstack-keystone23:11
*** edmondsw has joined #openstack-keystone23:25
*** ravelar has quit IRC23:28
*** edmondsw has quit IRC23:30
*** lamt has quit IRC23:32
*** jaugustine has quit IRC23:36
*** ravelar has joined #openstack-keystone23:36
*** agrebennikov has quit IRC23:38
*** dave-mccowan has quit IRC23:50
*** nicolasbock has quit IRC23:54
stevemarZer0Byte__: should be usable pretty far back23:58
Zer0Byte__so is not on newer versions serverascode ?23:58
Zer0Byte__stevemar23:58
Zer0Byte__?23:58
stevemarZer0Byte__: it should still work today too23:59
« Sunday, 2016-12-18 Index Tuesday, 2016-12-20 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!