Thursday, 2016-12-29

« Wednesday, 2016-12-28 Index Friday, 2016-12-30 »
*** guoshan has quit IRC00:02
*** david-lyle has joined #openstack-keystone00:02
*** david-lyle has quit IRC00:07
openstackgerritGage Hugo proposed openstack/keystone: WIP - Allow user to change own expired password  https://review.openstack.org/40402200:08
*** jose-phillips has quit IRC00:30
*** hoangcx has joined #openstack-keystone00:51
*** guoshan has joined #openstack-keystone00:59
*** guoshan has quit IRC01:03
*** guoshan has joined #openstack-keystone01:13
*** jose-phillips has joined #openstack-keystone01:27
*** jose-phillips has quit IRC01:33
*** jose-phillips has joined #openstack-keystone01:34
*** liujiong has joined #openstack-keystone01:41
*** jose-phillips has quit IRC02:04
*** david-lyle has joined #openstack-keystone02:04
*** jose-phillips has joined #openstack-keystone02:04
*** david-lyle has quit IRC02:08
*** markvoelker has quit IRC02:12
*** jose-phillips has quit IRC02:21
*** jose-phillips has joined #openstack-keystone02:22
*** dave-mccowan has joined #openstack-keystone02:41
*** jose-phillips has quit IRC03:06
*** markvoelker has joined #openstack-keystone03:13
*** markvoelker has quit IRC03:17
*** links has joined #openstack-keystone03:22
*** dave-mccowan has quit IRC03:28
*** namnh has joined #openstack-keystone03:52
*** david-lyle has joined #openstack-keystone04:05
*** david-lyle has quit IRC04:10
*** markvoelker has joined #openstack-keystone04:14
*** guoshan has quit IRC04:16
*** markvoelker has quit IRC04:18
*** guoshan has joined #openstack-keystone04:45
*** jose-phillips has joined #openstack-keystone05:00
*** guoshan has quit IRC05:10
*** udesale has joined #openstack-keystone05:10
*** markvoelker has joined #openstack-keystone05:14
*** markvoelker has quit IRC05:19
*** nicolasbock has joined #openstack-keystone05:51
*** liujiong has quit IRC05:56
*** liujiong_66 has joined #openstack-keystone05:56
*** david-lyle has joined #openstack-keystone06:07
*** guoshan has joined #openstack-keystone06:10
*** david-lyle has quit IRC06:12
*** jose-phillips has quit IRC06:16
*** nicolasbock has quit IRC06:16
*** guoshan has quit IRC06:24
*** guoshan has joined #openstack-keystone06:24
*** nicolasbock has joined #openstack-keystone06:30
openstackgerritJulia Varlamova proposed openstack/keystone: Change DevStack plugin to setup multi-Keystone  https://review.openstack.org/39947206:36
*** rcernin has joined #openstack-keystone06:53
*** tesseract has joined #openstack-keystone07:08
*** guoshan has quit IRC07:14
*** guoshan has joined #openstack-keystone07:14
*** guoshan has quit IRC07:24
*** guoshan has joined #openstack-keystone07:30
*** AlexeyAbashkin has joined #openstack-keystone07:41
*** guoshan_ has joined #openstack-keystone08:01
*** guoshan has quit IRC08:05
*** david-lyle has joined #openstack-keystone08:09
*** david-lyle has quit IRC08:13
*** sc68cal has quit IRC08:17
-openstackstatus- NOTICE: All CI tests are currently broken since logs.openstack.org is down. Refrain from recheck or approval until this is fixed.08:17
*** ChanServ changes topic to "All CI tests are currently broken since logs.openstack.org is down. Refrain from recheck or approval until this is fixed."08:17
*** yatin is now known as yatin_on_leave08:19
*** sc68cal has joined #openstack-keystone08:20
*** guoshan_ has quit IRC08:23
*** yatin_on_leave has quit IRC08:24
*** guoshan_ has joined #openstack-keystone08:25
*** stingaci has joined #openstack-keystone08:26
*** guoshan__ has joined #openstack-keystone08:28
*** guoshan_ has quit IRC08:28
*** guoshan__ has quit IRC08:30
*** guoshan has joined #openstack-keystone08:30
*** stingaci has quit IRC08:31
*** sc68cal has quit IRC08:39
*** sc68cal has joined #openstack-keystone08:43
*** sheel has joined #openstack-keystone08:49
*** guoshan_ has joined #openstack-keystone08:51
*** guoshan has quit IRC08:51
*** liujiong has joined #openstack-keystone08:55
*** liujiong_66 has quit IRC08:55
*** zzzeek has quit IRC09:00
*** zzzeek has joined #openstack-keystone09:00
*** nicolasbock has quit IRC09:01
*** guoshan_ has quit IRC09:09
*** guoshan has joined #openstack-keystone09:09
*** guoshan_ has joined #openstack-keystone09:12
*** guoshan has quit IRC09:12
*** liujiong_66 has joined #openstack-keystone09:19
*** liujiong has quit IRC09:21
*** oomichi has quit IRC09:21
*** oomichi has joined #openstack-keystone09:22
*** liujiong has joined #openstack-keystone09:23
*** liujiong_66 has quit IRC09:23
*** asettle has joined #openstack-keystone09:25
*** guoshan_ has quit IRC09:32
*** guoshan has joined #openstack-keystone09:33
*** hoangcx has quit IRC10:07
*** markvoelker has joined #openstack-keystone10:19
*** pkoraca_ has joined #openstack-keystone10:23
*** robcresswell_ has joined #openstack-keystone10:24
*** aleph1 has joined #openstack-keystone10:24
*** markvoelker has quit IRC10:24
*** serverascode_ has joined #openstack-keystone10:25
*** tesseract has quit IRC10:25
*** tesseract has joined #openstack-keystone10:26
*** sudorandom_ has joined #openstack-keystone10:29
*** sakthi has quit IRC10:30
*** tonyb has quit IRC10:30
*** d0ugal has quit IRC10:30
*** jascott1 has quit IRC10:30
*** rha has quit IRC10:30
*** dmellado has quit IRC10:30
*** timss has quit IRC10:30
*** robcresswell has quit IRC10:30
*** pkoraca has quit IRC10:30
*** serverascode has quit IRC10:30
*** charz has quit IRC10:30
*** akrzos has quit IRC10:30
*** sudorandom has quit IRC10:30
*** fungi has quit IRC10:30
*** agarner has quit IRC10:30
*** mancdaz has quit IRC10:30
*** sudorandom_ is now known as sudorandom10:30
*** pcaruana has joined #openstack-keystone10:31
*** pkoraca_ is now known as pkoraca10:31
*** robcresswell_ is now known as robcresswell10:32
*** guoshan has quit IRC10:32
*** liujiong has quit IRC10:34
*** serverascode_ is now known as serverascode10:35
*** sakthi has joined #openstack-keystone10:36
*** tonyb has joined #openstack-keystone10:36
*** d0ugal has joined #openstack-keystone10:36
*** rha has joined #openstack-keystone10:36
*** jascott1 has joined #openstack-keystone10:36
*** dmellado has joined #openstack-keystone10:36
*** timss has joined #openstack-keystone10:36
*** charz has joined #openstack-keystone10:36
*** akrzos has joined #openstack-keystone10:36
*** mancdaz has joined #openstack-keystone10:36
*** Matias has quit IRC10:38
*** fungi has joined #openstack-keystone10:39
*** namnh has quit IRC10:44
*** guoshan has joined #openstack-keystone10:56
*** guoshan has quit IRC11:01
*** ChanServ changes topic to "Meeting Agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting | Ocata goals: https://docs.google.com/spreadsheets/d/156q820cXcEc8Y9YWQgoc_hyOm3AZ2jtMQM3zdDhwGFU/edit?usp=sharing"11:08
-openstackstatus- NOTICE: logs.openstack.org is up again. Feel free to recheck any failures.11:08
*** david-lyle has joined #openstack-keystone11:11
*** david-lyle has quit IRC11:15
*** markvoelker has joined #openstack-keystone11:20
*** markvoelker has quit IRC11:25
*** pcaruana has quit IRC11:28
*** brad[] has quit IRC11:44
*** brad[] has joined #openstack-keystone11:52
*** guoshan has joined #openstack-keystone11:57
*** guoshan has quit IRC12:02
*** markvoelker has joined #openstack-keystone12:21
*** markvoelker has quit IRC12:26
*** stingaci has joined #openstack-keystone12:28
*** stingaci has quit IRC12:32
*** guoshan has joined #openstack-keystone12:58
*** guoshan has quit IRC13:03
*** david-lyle has joined #openstack-keystone13:12
*** david-lyle has quit IRC13:17
*** markvoelker has joined #openstack-keystone13:22
*** lamt has quit IRC13:24
*** markvoelker has quit IRC13:27
*** nicolasbock has joined #openstack-keystone13:33
*** lamt has joined #openstack-keystone13:53
*** guoshan has joined #openstack-keystone13:59
openstackgerritMerged openstack/keystone: Handle disk write failure when doing Fernet key rotation  https://review.openstack.org/41349514:02
*** guoshan has quit IRC14:04
lbragstado/14:16
*** markvoelker has joined #openstack-keystone14:23
*** markvoelker has quit IRC14:27
*** links has quit IRC14:27
lbragstadit's quiet today - folks must still be on vacation14:51
*** nklenke has joined #openstack-keystone14:53
*** nicolasbock has quit IRC14:53
*** guoshan has joined #openstack-keystone15:00
*** chris_hultin|AWA is now known as chris_hultin15:04
*** guoshan has quit IRC15:05
*** david-lyle has joined #openstack-keystone15:14
*** chris_hultin is now known as chris_hultin|AWA15:14
*** dave-mccowan has joined #openstack-keystone15:15
*** chris_hultin|AWA is now known as chris_hultin15:17
*** david-lyle has quit IRC15:18
*** erlon has joined #openstack-keystone15:33
*** wasmum has quit IRC15:34
*** udesale has quit IRC15:35
*** wasmum has joined #openstack-keystone15:41
*** wasmum has quit IRC15:44
*** guoshan has joined #openstack-keystone16:00
*** diazjf has joined #openstack-keystone16:04
*** guoshan has quit IRC16:05
*** brad[] has quit IRC16:11
*** diazjf has quit IRC16:14
*** dave-mcc_ has joined #openstack-keystone16:17
*** dave-mccowan has quit IRC16:19
*** brad[] has joined #openstack-keystone16:22
*** dave-mcc_ has quit IRC16:24
*** stingaci has joined #openstack-keystone16:29
*** tesseract has quit IRC16:32
*** stingaci has quit IRC16:34
*** crinkle_ has joined #openstack-keystone16:54
*** crinkle has quit IRC16:56
*** guoshan has joined #openstack-keystone17:01
*** asettle has quit IRC17:04
*** guoshan has quit IRC17:06
*** jose-phillips has joined #openstack-keystone17:07
*** david-lyle has joined #openstack-keystone17:15
*** david-lyle has quit IRC17:20
*** harlowja has joined #openstack-keystone17:36
*** bandrus has joined #openstack-keystone17:54
*** guoshan has joined #openstack-keystone18:02
bandrusI am in need of some assistance understanding formation of keystone requests, specifically token auth and subsequent commands using openstack CLI... would that be a good topic here or am I better off asking in #openstack-101 or something like that?18:06
lbragstadbandrus feel free to ask here18:06
*** guoshan has quit IRC18:06
bandrusthanks - so firstly I'm trying to understand our infrastructure's endpoints, and seeing if there can be any improvement there... My first question is regarding the service catalog. All keystone endpoints are listed as /v2.018:08
bandrusI'm wondering what the proper way to change the endpoints to v3 is, or if it's needed, and what potential impact it might have to clients18:09
lbragstadbandrus did you set up your deployment using a guide or devstack or something else?18:09
bandrusI would say "something else", I'm working on an existing infrastructure and I've been tasked with understanding the endpoints based on a few issues we have open from our customers. e.g. v3 endpoints halfway working... some commands working, some not18:10
bandruswhat I do notice is that most endpoints in our service catalog have /v2.0 in them, and none have v3, though some v3 requests seem to work. I'm not sure how it "should" look18:11
lbragstadbandrus ah - sure...18:12
lbragstadbandrus well - keystone's v3 api supports a lot more stuff than the v2.0 api, so if clients are trying to use whatever is in the service catalog to do v3-like operations, but attempting to do that against a v2.0 endpoint, you'd forsure see some strange behavior18:13
lbragstadbandrus is the other services talking to keystone (i.e. nova asking keystone to validate a token) that's failing or is it customers trying to use a client of some sort to do v3 things against v2.0?18:14
*** rcernin has quit IRC18:14
bandruseverything in our infrastructure seems to be working alright, which is why I'm hesitant to make changes - it's mostly when a client tries to do v3 things against the assumed v2.0 endpoints18:15
lbragstadbandrus hmm - are you using openstackclient?18:17
lbragstadif so - you might have to specify a v3 auth url and make sure to set an identity API version before using openstackclient in order for it to work correctly with v318:17
lbragstadbandrus for example - http://docs.openstack.org/developer/python-openstackclient/authentication.html#authenticating-using-identity-server-api-v318:18
bandruslbragstad: to specify a v3 endpoint, would I need to make sure it's in the service catalog as such?18:18
lbragstadbandrus yes and no - you can tell your command line (openstackclient) interface you want to use a specific identity api version by following those ^ steps18:19
bandrusokay, so the client can specify v3 even though it's hitting a URL with /v2.0 in the endpoint URL? I am pretty sure it will automatically get the endpoint URL (including /v2.0) from the authentication response, correct?18:21
lbragstadbandrus well - your clients are going to use the value specified in OS_AUTH_URL18:21
lbragstadbandrus so you could specify OS_AUTH_URL=http://localhost:5000/v3 or OS_AUTH_URL=http://localhost:5000/v2.018:21
lbragstadand do an `openstack token issue` and the client (openstackclient) would format the request accordingly18:22
bandruslbragstad: is OS_AUTH_URL need to match a keystone endpoint listed in the service catalog?18:23
lbragstadbandrus no - not necessarily18:23
lbragstadbandrus OS_AUTH_URL is for your client session to talk to keystone18:24
*** markvoelker has joined #openstack-keystone18:24
lbragstad(i.e. if i wanted to use openstackclient to interact with keystone on the command line, i could set OS_AUTH_URL to use v3 and I'd be using keystone v3 API to get what I need)18:24
bandruslbragstad: I appreciate your help, I'm still trying to understand the auth and request processes fully so I can determine exactly where our problems lie. I'll have some more questions if you don't mind after playing around for a few minutes18:28
*** markvoelker has quit IRC18:29
lbragstadbandrus no problem - hopefully it helped a little bit18:29
lbragstadbandrus just to confirm - your services aren't having any issues, your issues are specific to clients (using horizon or openstackclient)?18:29
bandruslbragstad: correct18:30
bandrusI do have some more keystone specific questions, I just need to stew on what conclusions you've helped me come to18:30
lbragstadbandrus sounds good - just ping me when you're ready18:31
bandruslbragstad: is there a benefit to configuring OpenStack services to use /v3 over /v2.0? as per this guide... or similar: https://goo.gl/HultSC18:41
lbragstadbandrus well - using v3 offers more features and capabilities, but from a services perspective, they just need keystone to be able to validate user tokens18:43
lbragstadif you're deployment is taking advantage of multi-domain support, then v3 is going to be something you'll need in order for other services to be able to validate tokens for users outside the default domain18:44
lbragstadv2.0 token validation assumes all users are in a single/default domain, but v3 allows multiple domain per deployment18:45
bandruslbragstad: thank you. So to ease over into my keystone-specific questions - one of our user-reported issues mentions using keystone v3 token and an OS_AUTH_URL of the keystone endpoint (v3). This is what I am trying to reproduce. I have generated a token that has been tested with various curl requests and I've set that as OS_ACCESS_TOKEN18:47
bandrusto clarify, I'm now attempting to use v3 token with openstackclient18:48
bandrusI am guessing I am missing one of the parameters needed to get token requests working with openstackclient, but I'm not sure which it is...18:48
bandrusbecause it asks for password18:49
lbragstadaha - I think OS_ACCESS_TOKEN is specific to using keystone oauth plugin18:51
lbragstadbut i would have to check with stevemar to be sure18:51
dtroyerbandrus: you are looking for token_endpoint auth and setting —os-token and --os-url18:52
lbragstadbandrus ^ in addition to that, you might need to set --os-password18:52
lbragstaddtroyer o/18:52
*** harlowja has quit IRC18:53
dtroyeryou really shouldn't need anything else to do token_endpoint, that bypasses the initial auth entirely and hands the given token to the client lib directly18:53
lbragstadah - gotcha18:54
bandrusdtroyer, --os-access-token-endpoint correct?18:54
lbragstaddtroyer otherwise you would need the password in order to perform the initial auth?18:54
bandrusthis endpoint should correlate to... keystone v3 or the actual service I'm trying to hit?18:55
dtroyerthat's the point of token_endpoint, to give a presumably valid token straight to the actual API you want to call and skip the get_token() calls18:55
bandrusgot it18:55
dtroyerbandrus: the actual service, which is Identioty v3 for any Identity commands beyond the initial auth sequence18:56
dtroyerlike project create18:56
bandrusdtroyer: in the example of server create... the nova endpoint would be specified?18:56
dtroyeryes18:56
*** chris_hultin is now known as chris_hultin|AWA19:01
*** guoshan has joined #openstack-keystone19:03
*** guoshan has quit IRC19:07
bandrusdtroyer: would it be common that os-access-token-endpoint be the same as os-endpoint?19:12
bandrusi.e. service endpoint19:12
dtroyerI don't know what os-access-token-endpoint is19:12
lbragstadi think that's for oauth authentication19:12
bandrusdtroyer: I had asked earlier if you meant os-access-token-endpoint when you said token_endpoint19:12
bandrusbut perhaps you meant token_endpoint as the method of auth, and not a parameter to be run with openstackclient19:13
dtroyerI must have read past that too quickly then...19:13
*** dave-mccowan has joined #openstack-keystone19:13
dtroyer—os-auth-type token_endpoint —os-token <token> —os-url <service-url> is the long form, all other auth-related options are ignored (or illegal) for token_auth19:14
bandrusahh!19:14
dtroyernormally, the auth-type is detected/assumed when both os-token and -os-url are present so —os-auth-type is not necessary19:15
bandrusactually got a request to come back when the endpoint matches that in the service catalog. Thank you dtroyer and lbragstad!19:21
lbragstadbandrus awesome - any time!19:23
bandruslast question for now: do I essentially need to keep a service catalog handy in order to reference the endpoints manually in making my requests? Obviously that's something that could be automated, but want to make sure it's not something that can be obtained automatically like in password authentication. I think this makes sense since we're essentially bypassing keystone and the service catalog in the keystone response... is19:31
*** dave-mccowan has quit IRC19:32
lbragstadbandrus are you using the ?no_catalog query parameter when authenticating or validating tokens?19:33
dtroyerbandrus: take a look at the similar-but-different admin_token auth type.  IIRC it still does the SC lookup, only bypassing the get token bit19:34
bandrusokay, in the case of a customer using openstackclient to connect to the cluster - my guess is they are running as such: openstack --os-url https://<glance_endpoint>:9292 --os-token <token> image list19:35
bandrusso in that case, they probably just know the endpoints for services they are trying to hit19:36
dtroyerI really hope that is an exception and not a normal use case19:36
dtroyersome OSc commands will talk to multiple services to do name -> ID lookups for example, those don't work (well) with token_endpoint auth19:37
dtroyeras an operator, I would really want to discourage customers from doing that sort of thing, it make you unable to change your service catalog without breaking them19:38
*** hogepodge has quit IRC19:39
bandrusso upon reading the ticket closer... they specify using "OS_AUTH_URL" of keystone and a token19:39
dtroyerthat sounds like the admin_token auth (which I don't use), IIRC it wants auth_url to get the service catalog19:40
dtroyerthat is a much better situation than I thought a minute ago19:40
dtroyerit'll still use the SC to find endpoints and the multi-API commands will work19:41
bandrushaha, I was just excited to have something working in the form of that less ideal syntax19:41
dtroyerit's good to know how to use it, hopefully it is one of those things that you never need, and when you do you'll be happy to know how :)19:41
bandrusso in using os-auth-url, the command doesn't seem to like os-token19:42
*** itisha has joined #openstack-keystone19:45
bandrusI'm more than happy to go do some further reading, I'm finding it hard to find decent documentation on these subjects however... As in "if using this method, this is what is required"19:45
dtroyerthat may only with with v319:45
dtroyerthere isn't decent docs for this… I'm reading the plugin source to find what arguments are required for admin_token19:45
dtroyerand it isn't even clear there19:46
bandruswell then, I very much appreciate your help19:46
dtroyerhmmmm, I may be meaning v3token auth type rather than admin_token19:46
bandrusokay, I do believe they are trying v3token19:47
lbragstaddtroyer should we open a doc bug to clear some of that up? or at least track the need?19:47
dtroyerlbragstad: maybe?  also, jamielennox may have a lot of this written down somewhere that I don't know about19:48
lbragstaddtroyer i can make a note to follow up with jamielennox if he isn't already hanging around19:49
dtroyeradmin_token needs —os-endpoint and —os-token according to keystoneauth/keystoneauth1/loading/_plugins/admin_token.py19:49
lbragstadand if he doesn't have it tracked somewhere i'll open one up19:49
dtroyerI think v3token wants —os-auth-url and —os-token19:50
dtroyerper ../keystoneauth/keystoneauth1/loading/_plugins/identity/v3.py19:50
dtroyercan you tell I don't use these often?19:50
dtroyerhaving three similar-yet-different auth type is confusing but back-=compat requires two of them stay around for a while yet19:51
bandrusgreat - I'm playing around... for now, I am getting 404 could not find token (when the same one works when the cinder endpoint is specified directly) - but I'll spend some time generating a new token before wasting anyone's time19:54
*** edtubill has joined #openstack-keystone19:54
bandrusworks great!19:55
bandrusthank you again dtroyer and lbragstad. From a user who isn't yet intimately familiar with openstack source, Some documentation that really lays it out would be greatly appreciated.19:56
lbragstadbandrus ++19:56
*** stingaci has joined #openstack-keystone19:56
*** stingaci has quit IRC19:56
dtroyeragreed19:57
*** guoshan has joined #openstack-keystone20:04
*** edtubill has quit IRC20:05
*** asettle has joined #openstack-keystone20:07
*** guoshan has quit IRC20:08
*** asettle has quit IRC20:11
*** david-lyle has joined #openstack-keystone20:17
*** david-lyle has quit IRC20:21
*** rcernin has joined #openstack-keystone20:25
*** harlowja has joined #openstack-keystone20:49
*** chris_hultin|AWA is now known as chris_hultin20:52
*** guoshan has joined #openstack-keystone21:04
*** guoshan has quit IRC21:09
*** guoshan has joined #openstack-keystone22:05
*** guoshan has quit IRC22:10
*** markvoelker has joined #openstack-keystone22:26
*** markvoelker has quit IRC22:30
*** itisha has quit IRC22:52
*** guoshan has joined #openstack-keystone23:06
*** lamt has quit IRC23:10
*** guoshan has quit IRC23:10
*** markvoelker has joined #openstack-keystone23:26
*** markvoelker has quit IRC23:31
kevinbentonHi, we've started seeing these warnings in our Neutron logs somewhat recently23:42
kevinbenton" A valid token was submitted as a service token, but it was not a valid service token. This is incorrect but backwards compatible behaviour. This will be removed in future releases."23:42
kevinbentoncoming from keystonemiddleware.auth_token23:42
kevinbentonbased on the timing of it's appearance, I believe it's on the notification that neutron sends to nova23:42
kevinbentonso i suspect our configuration of the credentials used to communicate with nova is not valid23:43
kevinbentonWhat type of credentials should we be using?23:43
kevinbentonFor reference of how we configure them now, search for "[nova]" in http://logs.openstack.org/32/415632/1/check/gate-tempest-dsvm-neutron-full-ubuntu-xenial/7bd5633/logs/etc/neutron/neutron.conf.txt.gz23:44
*** chris_hultin is now known as chris_hultin|AWA23:45
*** jose-phillips has quit IRC23:47
« Wednesday, 2016-12-28 Index Friday, 2016-12-30 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!