Thursday, 2017-03-30

« Wednesday, 2017-03-29 Index Friday, 2017-03-31 »
*** thorst has quit IRC00:01
*** jlopezgu_ has quit IRC00:02
ayoungknikolla, you get my response on the update on the RBAC patch?  https://review.openstack.org/#/c/401808/  You can probably post what you have working now.00:14
openstackgerritRon De Rose proposed openstack/keystone master: Return the local user roles for federated users mapped to local users  https://review.openstack.org/45160400:19
openstackgerritRon De Rose proposed openstack/keystone master: Return the local user roles for a federated user mapped to a local user  https://review.openstack.org/45160400:20
*** dikonoor has joined #openstack-keystone00:25
*** thorst has joined #openstack-keystone00:36
*** bjornar_ has joined #openstack-keystone00:44
*** david-lyle_ has joined #openstack-keystone00:45
*** david-lyle has quit IRC00:48
*** thorst has quit IRC00:53
lbragstadknikolla well - it looks like the recheck passed -https://review.openstack.org/#/c/451559/100:54
lbragstadhttps://review.openstack.org/#/c/451559/100:54
*** sjain has joined #openstack-keystone00:56
knikollaayoung: yep, i'll do that tomorrow since it's in my work pc01:04
knikollalbragstad: awesome!01:04
openstackgerritMerged openstack/keystone master: Add charset to webob.Response  https://review.openstack.org/45155901:08
*** sjain has quit IRC01:09
*** gyee has quit IRC01:11
openstackgerritKristi Nikolla proposed openstack/keystone master: Remove create_container_group from tests  https://review.openstack.org/45099001:16
openstackgerritKristi Nikolla proposed openstack/keystone master: Updated from global requirements  https://review.openstack.org/45101401:16
*** dikonoor has quit IRC01:16
*** liujiong has joined #openstack-keystone01:18
*** luzC has quit IRC01:20
*** jlwhite has quit IRC01:20
*** luzC has joined #openstack-keystone01:25
*** jlwhite has joined #openstack-keystone01:25
*** edmondsw has quit IRC01:29
openstackgerritayoung proposed openstack/keystone master: Removed domain conflict guard in load_fixtures  https://review.openstack.org/45099101:31
openstackgerritayoung proposed openstack/keystone master: Replace wip with skip  https://review.openstack.org/45099201:31
*** david-lyle__ has joined #openstack-keystone01:34
*** david-lyle_ has quit IRC01:37
*** chlong has joined #openstack-keystone01:47
*** oomichi has quit IRC01:48
*** thorst has joined #openstack-keystone01:51
*** oomichi has joined #openstack-keystone01:52
*** thorst has quit IRC02:04
*** rderose has quit IRC02:08
openstackgerritAnthony Washington proposed openstack/keystone master: Move project policies to DocumentedRuleDefault  https://review.openstack.org/44923802:09
*** guoshan has joined #openstack-keystone02:20
*** knangia has quit IRC02:21
*** prashkre has joined #openstack-keystone02:27
*** adrian_otto has joined #openstack-keystone02:31
*** thorst has joined #openstack-keystone02:31
*** agrebennikov has quit IRC02:32
*** prashkre has quit IRC02:35
*** knangia has joined #openstack-keystone02:35
*** thorst has quit IRC02:38
*** bjornar_ has quit IRC02:42
*** guoshan has quit IRC02:45
*** adrian_otto has quit IRC02:53
*** adrian_otto has joined #openstack-keystone02:53
*** ravelar has quit IRC02:56
*** adrian_otto has quit IRC03:03
*** adrian_otto has joined #openstack-keystone03:03
*** adrian_otto has quit IRC03:04
*** cmurphy has quit IRC03:06
*** oomichi has quit IRC03:08
*** oomichi has joined #openstack-keystone03:12
*** dikonoor has joined #openstack-keystone03:19
*** dave-mccowan has quit IRC03:27
*** cmurphy has joined #openstack-keystone03:29
*** thorst has joined #openstack-keystone03:36
*** guoshan has joined #openstack-keystone03:36
openstackgerritMerged openstack/keystone master: Remove create_container_group from tests  https://review.openstack.org/45099003:37
*** adrian_otto has joined #openstack-keystone03:49
*** thorst has quit IRC03:55
openstackgerritSteve Martinelli proposed openstack/keystone master: Remove revocation API dependency from resource API  https://review.openstack.org/44756403:58
openstackgerritSteve Martinelli proposed openstack/keystone master: Remove revocation API dependency from identity API  https://review.openstack.org/44757303:58
*** guoshan has quit IRC04:00
* stevemar punts through several things04:03
*** adrian_otto has quit IRC04:20
*** links has joined #openstack-keystone04:26
*** adrian_otto has joined #openstack-keystone04:26
openstackgerritMerged openstack/keystone master: Move endpoint policies to DocumentedRuleDefault  https://review.openstack.org/44921204:29
*** guoshan has joined #openstack-keystone04:33
*** aojea has joined #openstack-keystone04:35
*** dobson has quit IRC04:36
*** adrian_otto has quit IRC04:37
*** aojea has quit IRC04:39
*** dobson has joined #openstack-keystone04:40
*** ianw has quit IRC04:43
*** ianw has joined #openstack-keystone04:43
*** prashkre has joined #openstack-keystone04:52
*** guoshan has quit IRC05:00
*** guoshan has joined #openstack-keystone05:00
*** oomichi has quit IRC05:09
*** oomichi has joined #openstack-keystone05:12
*** akrzos has quit IRC05:14
*** dmellado has quit IRC05:14
*** chlong has quit IRC05:14
*** dmellado has joined #openstack-keystone05:16
*** oomichi has quit IRC05:18
*** akrzos has joined #openstack-keystone05:22
*** oomichi has joined #openstack-keystone05:23
*** Adobeman has quit IRC05:32
*** Adobeman has joined #openstack-keystone05:33
openstackgerritMerged openstack/keystone master: Move domain policies to DocumentedRuleDefault  https://review.openstack.org/44923405:35
openstackgerritMerged openstack/keystone master: Updated from global requirements  https://review.openstack.org/45101405:38
openstackgerritMerged openstack/keystone master: Doc db_sync --expand incurring downtime in upgrades to Newton  https://review.openstack.org/45086305:40
openstackgerritMerged openstack/keystone master: Remove unused revoke_by_project_role_assignment  https://review.openstack.org/44861305:40
openstackgerritMerged openstack/keystone master: Remove unused revoke_by_domain_role_assignment  https://review.openstack.org/44861505:42
*** richm has quit IRC05:43
*** rcernin has joined #openstack-keystone05:45
openstackgerritMerged openstack/keystone master: Fix some reST field lists in docstrings  https://review.openstack.org/44989205:50
openstackgerritMerged openstack/keystone master: Add group_members_are_ids to whitelisted options  https://review.openstack.org/44204805:50
openstackgerritMerged openstack/keystone master: Removed domain conflict guard in load_fixtures  https://review.openstack.org/45099105:50
openstackgerritMerged openstack/keystone master: Replace wip with skip  https://review.openstack.org/45099205:50
openstackgerritRichard Avelar proposed openstack/keystone master: Remove policy file from source and refactor tests  https://review.openstack.org/44967505:51
*** thorst has joined #openstack-keystone05:52
*** thorst has quit IRC05:57
*** zhurong has joined #openstack-keystone06:15
openstackgerritMerged openstack/keystone master: Remove revocation API dependency from resource API  https://review.openstack.org/44756406:26
openstackgerritXieYingYun proposed openstack/keystone master: Remove unnecessary setUp function in testcase  https://review.openstack.org/45166606:33
*** zhurong has quit IRC06:38
*** haplo37- has quit IRC06:45
*** pcaruana has joined #openstack-keystone06:47
*** thorst has joined #openstack-keystone06:53
*** haplo37_ has joined #openstack-keystone06:53
*** thorst has quit IRC06:57
*** d0ugal has joined #openstack-keystone06:58
*** d0ugal has joined #openstack-keystone06:58
*** Dinesh_Bhor has quit IRC07:07
*** Dinesh_Bhor has joined #openstack-keystone07:07
*** dineshbhor has joined #openstack-keystone07:09
*** dineshbhor has quit IRC07:09
*** tesseract has joined #openstack-keystone07:16
*** kukacz has quit IRC07:17
*** aojea has joined #openstack-keystone07:18
*** kukacz has joined #openstack-keystone07:18
*** pnavarro has joined #openstack-keystone07:19
*** Dinesh_Bhor has quit IRC07:24
*** Dinesh_Bhor has joined #openstack-keystone07:25
*** Dinesh_Bhor has quit IRC07:30
*** Dinesh_Bhor has joined #openstack-keystone07:32
*** zhurong has joined #openstack-keystone07:37
*** zhangqiankun has joined #openstack-keystone07:39
*** Dinesh_Bhor has quit IRC07:40
*** Dinesh_Bhor has joined #openstack-keystone07:43
*** aojea has quit IRC07:49
*** knangia has quit IRC07:51
*** thorst has joined #openstack-keystone07:54
*** pnavarro has quit IRC07:56
*** zzzeek has quit IRC08:00
*** wuyanjun has joined #openstack-keystone08:00
*** zzzeek has joined #openstack-keystone08:02
*** openstackgerrit has quit IRC08:03
*** aojea has joined #openstack-keystone08:12
*** thorst has quit IRC08:12
*** openstackgerrit has joined #openstack-keystone08:22
openstackgerritMerged openstack/keystone master: Remove revocation API dependency from identity API  https://review.openstack.org/44757308:22
*** haplo37_ has quit IRC08:28
*** haplo37_ has joined #openstack-keystone08:31
*** yulijie has joined #openstack-keystone08:35
*** pnavarro has joined #openstack-keystone08:39
*** zhangqiankun has quit IRC08:45
*** zhangqiankun has joined #openstack-keystone08:46
*** prashkre has quit IRC08:59
*** zhurong has quit IRC09:01
*** zhangqiankun has quit IRC09:01
*** pradeep has joined #openstack-keystone09:02
*** thorst has joined #openstack-keystone09:09
*** prashkre has joined #openstack-keystone09:10
*** thorst has quit IRC09:13
*** zhangqiankun has joined #openstack-keystone09:28
*** zhangqiankun has quit IRC09:29
*** Dinesh_Bhor has quit IRC09:49
*** bjornar_ has joined #openstack-keystone09:50
*** thorst has joined #openstack-keystone10:10
*** liujiong has quit IRC10:10
*** Dinesh_Bhor has joined #openstack-keystone10:12
*** richm has joined #openstack-keystone10:14
*** thorst has quit IRC10:14
*** mvk has quit IRC10:19
*** edmondsw has joined #openstack-keystone10:21
*** edmondsw has quit IRC10:26
*** guoshan has quit IRC10:33
*** raildo has joined #openstack-keystone10:42
*** pradeep has quit IRC11:00
*** thorst has joined #openstack-keystone11:11
*** zhangqiankun has joined #openstack-keystone11:14
*** thorst has quit IRC11:15
*** zhangqiankun has quit IRC11:18
*** ayoung has quit IRC11:25
*** thorst has joined #openstack-keystone11:34
*** mvk has joined #openstack-keystone11:59
*** henrynash has quit IRC12:00
*** dikonoo has joined #openstack-keystone12:05
*** guoshan has joined #openstack-keystone12:06
bretonso, i've just tested auto-provisioning on a larger audience12:09
bretonit worked pretty well!12:09
bretonthere some issues, not with keystone though12:10
*** dave-mccowan has joined #openstack-keystone12:17
*** voelzmo has joined #openstack-keystone12:18
*** catintheroof has joined #openstack-keystone12:21
*** edmondsw has joined #openstack-keystone12:22
*** henrynash has joined #openstack-keystone12:28
*** ayoung has joined #openstack-keystone12:34
*** links has quit IRC12:54
*** ayoung has quit IRC12:58
*** knangia has joined #openstack-keystone13:00
*** agrebennikov has joined #openstack-keystone13:04
*** spilla has joined #openstack-keystone13:05
*** lamt has joined #openstack-keystone13:06
*** ma9_ has joined #openstack-keystone13:07
ma9_Hi, does somebody know how to configure Keystone with PAM authentication as backend?13:07
ma9_I guess I need to put some driver to /opt/stack/keystone/keystone/identity/backends/13:09
ma9_and configure [identity]13:09
ma9_driver = mypambackend13:09
ma9_?13:10
bretonma9_: yes, that's right13:11
ma9_I found this example https://admiyo.fedorapeople.org/openstack/keystone/coverage/keystone_identity_backends_pam.html13:12
ma9_is there anything more 'official'13:12
ma9_I could use?13:12
*** ayoung has joined #openstack-keystone13:12
ma9_maybe this guide is better. https://thestaticvoid.com/post/2013/06/04/customizing-the-openstack-keystone-authentication-backend/13:13
dstanekbreton: nice13:14
dstanekma9_: we removed our pam backend a long time ago13:15
dstanekma9_: http://git.openstack.org/cgit/openstack/keystone/commit/?id=6bd230713:17
*** lamt has quit IRC13:21
ma9_damn :D13:24
ma9_thanks for the info!13:24
ma9_this is a bit odd though, that something like that has to be removed13:24
lbragstadno one has seen the webob issues again yet, have they?13:28
lbragstadcc dstanek?13:28
dstaneklbragstad: i haven't yet13:28
dstaneki haven't looked for any gate errors though13:29
*** henrynash has quit IRC13:31
*** chlong has joined #openstack-keystone13:34
*** jlvillal is now known as jlvillal_pto13:35
*** guoshan has quit IRC13:36
*** jaosorior is now known as jaosorior_away13:37
*** ravelar has joined #openstack-keystone13:38
*** lucasxu has joined #openstack-keystone13:43
*** guoshan has joined #openstack-keystone13:48
openstackgerritRichard Avelar proposed openstack/keystone master: Address comments from Policy in Code 5  https://review.openstack.org/44882613:59
*** henrynash has joined #openstack-keystone13:59
openstackgerritRichard Avelar proposed openstack/keystone master: Address comments from Policy in Code 5  https://review.openstack.org/44882614:05
openstackgerritRichard Avelar proposed openstack/keystone master: Address comments from Policy in Code 5  https://review.openstack.org/44882614:05
openstackgerritRichard Avelar proposed openstack/keystone master: Remove unused revocation check in revoke_models  https://review.openstack.org/45145214:07
*** aojea_ has joined #openstack-keystone14:13
*** szaher has quit IRC14:14
*** szaher has joined #openstack-keystone14:14
*** aojea has quit IRC14:16
*** prashkre has quit IRC14:17
*** lamt has joined #openstack-keystone14:19
*** browne has joined #openstack-keystone14:21
*** yulijie has quit IRC14:26
*** yulijie has joined #openstack-keystone14:27
*** rderose has joined #openstack-keystone14:30
antwashlbragstad : so far so good, no webob issues14:41
*** aojea_ has quit IRC14:41
*** dikonoo has quit IRC14:43
*** dikonoor has quit IRC14:44
*** henrynash has quit IRC14:45
lbragstadantwash good deal - i saw a few issues remaining and issued some rechecks14:47
lbragstadantwash i did notice there were other failures on some of those patches, too14:47
dstaneklbragstad: any thoughts on my the tests didn't catch the issue?14:48
lbragstad(one being related to a pbr version and the others related to a failing nova tempest test)14:48
lbragstaddstanek all the ones i saw that had issues with webob were py35 specific14:48
lbragstadpy27 seemed fine14:48
antwashlbragstad: yeah I did as well, I'm going to look into the other issues as well14:48
lbragstadfrom what i could tell - it looks like it was specific to WebOb > 1.7 and python 3.514:49
antwashhopefully everything will be good to go, we have two merged so fa ^_^14:49
antwashs/fa/far14:49
lbragstadantwash the trace from the nova tempest issue was reference "no host available" so it could have been a transient or a different/unrelated gate issue14:49
antwashlbragstad: did you happen to find out about that 'ec2 authenticate' policy?14:50
lbragstadantwash not yet - i saw your question, but i didn't get a chance to dig into it14:52
lbragstadyet14:52
lbragstadantwash what was it again?14:52
openstackgerritAnthony Washington proposed openstack/keystone master: Move role assignment to DocumentedRuleDefault  https://review.openstack.org/44925314:52
antwashlbragstad: what's the rule for the ec2 authenticate policy, I14:53
antwashI didn't see it in the old policy.json14:53
antwashor in code14:53
lbragstadantwash ah14:53
lbragstadI would think that it would be unauthenticated14:54
lbragstadsince it's an authenticate call,14:54
lbragstadwhich would be similar to how we treat authentication14:54
lbragstadwe don't protect the authentication endpoint14:54
lbragstad(because it's the authentication endpoint, and it causes a circle dependency)14:54
antwashlbragstad : also it's mentioned that theses policies deprecated https://review.openstack.org/#/c/449248/, but according to this they are not. https://developer.openstack.org/api-ref/identity/v3/?expanded=create-policy-detail14:56
antwashmaybe the doc needs to be updated?14:56
*** rcernin has quit IRC15:00
lbragstadantwash samueldmq updated15:01
lbragstadhttps://review.openstack.org/#/c/449248/215:01
openstackgerritAnthony Washington proposed openstack/keystone master: Move project endpoint to DocumentedRuleDefault  https://review.openstack.org/44927615:02
*** guoshan has quit IRC15:04
*** henrynash has joined #openstack-keystone15:06
openstackgerritAnthony Washington proposed openstack/keystone master: Move policy policies to DocumentedRuleDefault  https://review.openstack.org/44924815:07
*** adrian_otto has joined #openstack-keystone15:11
SamYapleim having trouble running apache2 in front of uwsgi. im using the example configs in keystone/httpd directory. it is acting as if I need ot enable mod_proxy or mod_http_proxy and I cannot figure it out. http://paste.openstack.org/show/604872/15:15
*** adrian_otto has quit IRC15:15
SamYapleany ideas?15:15
*** bjornar_ has quit IRC15:16
*** henrynash has quit IRC15:24
ayoungSamYaple, what is the error?15:25
SamYapleayoung: in that pastebin15:26
SamYapleAH01144: No protocol handler was valid for the URL /15:26
SamYapleit seems like im not enabling uwsgi proxy.... but i am15:26
SamYapleso im just confused15:26
ayoungSamYaple, what do your configs look like?15:26
ayoungSamYaple, or it is not matching the URL15:27
ayoungor the port is not in the listens list etc15:27
SamYaplestraight copy from keystone/httpd15:27
ayoung127.0.0.1  vs 0.0.0.015:27
ayoungnote the protocol is uwsgi in the [Thu Mar 30 07:27:45.634203 2017] [proxy_http:debug] [pid 18:tid 140369991821056] mod_proxy_http.c(1942): [client 10.10.0.1:50156] AH01113: HTTP: declining URL uwsgi://127.0.0.1:35358/15:27
SamYapleahhh nvm im dumb. i was enabling uwsgi, not proxy_uwsgi15:28
SamYaplewhich are two different things15:28
SamYapleseems ot be working now15:28
ayoungAch!15:28
ayoungCool.  SamYaple you coming to Boston?15:28
SamYaplei am15:30
ayoungCool...see you there!15:30
SamYapleawesome!15:31
*** adrian_otto has joined #openstack-keystone15:35
*** aloga_ is now known as aloga15:38
*** voelzmo has quit IRC15:39
*** voelzmo has joined #openstack-keystone15:40
openstackgerritRichard Avelar proposed openstack/keystone master: Refactor test_revoke to call check_token directly  https://review.openstack.org/45187415:43
*** voelzmo has quit IRC15:44
openstackgerritMerged openstack/keystone master: Add policy sample generation  https://review.openstack.org/44334415:44
*** jlopezgu_ has joined #openstack-keystone15:48
* notmorgan lurks harder15:58
SamYapleso im wondering about why we do the 127.0.0.1 bind of uwsgi. if you use nginx as a LB upstream, couldn't you bind uwsgi to a private address and then LB directly to uwsgi? or are there security implications with that?16:16
*** jaosorior_away is now known as jaosorior16:19
knikollao/16:20
*** pcaruana has quit IRC16:23
gagehugoknikolla: o/16:31
*** prashkre has joined #openstack-keystone16:35
*** tesseract has quit IRC16:40
lbragstado/16:42
*** jaosorior has quit IRC16:50
*** lucasxu has quit IRC16:53
*** lucasxu has joined #openstack-keystone16:56
*** swatson has quit IRC16:59
-openstackstatus- NOTICE: The Gerrit service on review.openstack.org is being restarted briefly to relieve performance issues, and should return to service again momentarily.17:03
openstackgerritKristi Nikolla proposed openstack/keystone master: URL pattern based RBAC Management Interface  https://review.openstack.org/40180817:04
*** MasterOfBugs has joined #openstack-keystone17:10
*** bjornar_ has joined #openstack-keystone17:12
openstackgerritRichard Avelar proposed openstack/keystone master: Address comments from Policy in Code 5  https://review.openstack.org/44882617:16
openstackgerritRichard Avelar proposed openstack/keystone master: Address comments from Policy in Code 5  https://review.openstack.org/44882617:17
openstackgerritRichard Avelar proposed openstack/keystone master: Address comments from Policy in Code 5  https://review.openstack.org/44882617:17
*** david-lyle__ is now known as david-lyle17:30
dstanekSamYaple: you can bind to whatever address you want17:32
dstanekSamYaple: i typically like to have an actual webserver in front of the python app though17:33
dstanekprotection from slow clients and some other things that are useful17:33
dstanekit's also necessary with federation17:33
SamYaplejut to clarify, all the nginx+uwsgi stuff i see, no federation support correct?17:34
dstanekSamYaple: what are you looking at?17:35
*** chlong has quit IRC17:36
SamYapledstanek: jsut random interweb things. basically i dont know uwsgi and was wondering if binding to 127.0.0.1 and putting apache2/nginx in front of it was done for security17:36
openstackgerritSean Dague proposed openstack/keystone-specs master: Unified limits specification  https://review.openstack.org/44081517:42
openstackgerritKristi Nikolla proposed openstack/keystone master: Remove LDAP delete logic and associated tests  https://review.openstack.org/42434417:43
dstanekSamYaple: i don't think security. i like to do it for other reasons. for example, nginx is pretty good about protecting you from slow clients17:43
SamYapleyea i get that part. i was trying to avoid  nginx on LB -> nginx on host -> uwsgi on host17:46
SamYaplewhich it sounds like i can17:46
dstanekSamYaple: why would you have nginx on the LB?17:47
dstanekSamYaple: also where do you do you SSL termination?17:47
*** prashkre has quit IRC17:49
SamYapledstanek: nginx is a load balancer that can do ssl termination (much like haproxy)17:50
openstackgerritMerged openstack/keystone master: Remove policy file from source and refactor tests  https://review.openstack.org/44967517:51
ayounglbragstad, dstanek, please have a look at the server side of the RBAC code.  https://review.openstack.org/#/c/40180817:51
ayoungrodrigods, ^^ you, too, please17:51
ayoungit should be a pretty straight forward REST API.  Does not do enforcement.17:52
openstackgerritAnthony Washington proposed openstack/keystone master: Move mapping to DocumentedRuleDefault  https://review.openstack.org/44934117:52
openstackgerritAnthony Washington proposed openstack/keystone master: Move policy policies to DocumentedRuleDefault  https://review.openstack.org/44924817:53
openstackgerritRichard Avelar proposed openstack/keystone master: Consolidate duplicate test and code in test_revoke  https://review.openstack.org/45192617:53
*** nikhil_ has joined #openstack-keystone17:55
*** nikhil_ is now known as Guest2372217:55
openstackgerritayoung proposed openstack/keystone master: URL pattern based RBAC Management Interface  https://review.openstack.org/40180817:56
openstackgerritAnthony Washington proposed openstack/keystone master: Move protocol to DocumentedRuleDefault  https://review.openstack.org/44934517:56
*** SamYaple_ has joined #openstack-keystone17:57
*** prashkre has joined #openstack-keystone17:58
*** rm_work has quit IRC17:59
*** nikhil has quit IRC17:59
*** Krenair has quit IRC17:59
*** mordred has quit IRC17:59
*** SamYaple has quit IRC17:59
*** BlackDex has quit IRC17:59
*** rm_work has joined #openstack-keystone18:00
*** Guest23722 is now known as nikhil18:01
*** mordred has joined #openstack-keystone18:01
*** chlong has joined #openstack-keystone18:02
*** SamYaple_ has quit IRC18:03
*** SamYaple has joined #openstack-keystone18:03
*** ravelar has quit IRC18:03
*** ayoung has quit IRC18:03
*** davechen has quit IRC18:04
*** Krenair has joined #openstack-keystone18:04
*** voelzmo has joined #openstack-keystone18:06
*** ravelar has joined #openstack-keystone18:08
samueldmqhi keystoners18:10
samueldmqantwash: done! all reviewed18:10
samueldmq:)18:10
antwashsamueldmq : thanks sam!!18:10
*** mvk has quit IRC18:10
samueldmqantwash: glad to help!18:11
*** chlong has quit IRC18:11
*** voelzmo has quit IRC18:13
dstaneksamueldmq: ah, i see. i think you would be ok then to not run it on the keystone nodes. i usurally terminate SSL at the node itself so even local traffic is protected18:13
samueldmqdstanek: what did I do ?18:14
samueldmqSamYaple: ^18:14
samueldmq:-)18:14
dstaneksamueldmq: sorry not you18:15
dstanekSamYaple: ^ that was for you18:15
SamYapledstanek: right, im just making sure i understand the flow here. what can be done, what can't. whats safe. that kind of thing18:17
SamYaplethanks for the help18:17
*** davechen has joined #openstack-keystone18:18
*** henrynash has joined #openstack-keystone18:20
*** henrynash has quit IRC18:23
*** d0ugal has quit IRC18:24
openstackgerritTin Lam proposed openstack/keystonemiddleware master: Replace pycrypto with cryptography  https://review.openstack.org/45194118:24
lbragstadlamt yes!18:25
lamt@lbragstad : \o/ I will add a release note to that patch set later.18:26
lbragstadi'm excited to test that out18:26
lbragstadlamt thanks for jumping on that one so quick18:27
*** ravelar1 has joined #openstack-keystone18:27
lamtnp18:27
*** adrian_otto has quit IRC18:28
*** mvk has joined #openstack-keystone18:43
*** ravelar1 has quit IRC18:59
*** aojea has joined #openstack-keystone18:59
*** zhangqiankun has joined #openstack-keystone19:00
*** chlong has joined #openstack-keystone19:00
openstackgerritMerged openstack/keystone master: Move project policies to DocumentedRuleDefault  https://review.openstack.org/44923819:05
*** chlong has quit IRC19:07
mfischlbragstad: I have a question for you. Have a weird thing where a service is getting tokens ,which are valid and then after 3-4 mins a token validation returns "404 not found"19:12
mfischdoes that sound familiar at all? fernet of course19:12
mfischthey're not in the revocation table19:12
*** aloga has quit IRC19:14
*** MasterOfBugs has quit IRC19:15
openstackgerritMerged openstack/keystone master: Move service provider to DocumentedRuleDefault  https://review.openstack.org/44934719:15
*** zhangqiankun has quit IRC19:18
bretonso...19:18
bretonwhere do i report security bugs?19:18
bretonok, https://security.openstack.org/19:19
dstanekbreton: did you get it figured out?19:23
dstanekmfisch: that's really strange19:23
bretondstanek: yes19:24
mfischsomething is revoking them looks like its saying "Revoke all this users tokens" there's no project or domain scope in the revoke table19:24
*** aloga has joined #openstack-keystone19:25
*** MasterOfBugs has joined #openstack-keystone19:29
dstanekmfisch: and you're not seeing anything in the logs?19:31
mfischlooking19:31
dstanekmfisch: do you have an idea what the user is doing with the token?19:31
mfischlots of logs19:31
mfischthese are service users19:31
mfischso designate, heat, and 2 otehrs19:32
mfischits causing API failures19:32
mfischevery 5 or so mins like clockwork, 4 new revokes show up19:32
dstanekmfisch: and the fernet keys are not being rotated or anything?19:32
mfischthe revoke table only has a user_id the rest is null (except times)19:32
mfischnope, no rotations19:32
dstanekmfisch: the 5 mintues sounds like some kind of automated job or maybe token timeout19:33
mfischtoken timeout is 2 hours but yeah it is suspicious19:33
mfischfound it, well a colleague did19:33
mfischPATCH call to a user19:34
mfischFOUND IT19:34
mfischdamn you puppet19:35
dstanekmfisch: lol19:35
dstaneka cron?19:35
mfischpuppet is being dumb, unsure why19:36
mfischMar 30 19:30:27 dnvrco01-keystone-001 puppet-agent[15163]: (/Stage[main]/Designate::Keystone::Auth/Keystone::Resource::Service_identity[designate]/Keystone_user[designate]/password) changed password19:36
mfisch6 nodes, run every 30 minutes = about 5 min per break19:36
mfischin other news I have 7 days left at this job, next time it's gonna cost them19:37
mfischtoday I had to cancel golf19:38
*** mvk has quit IRC19:42
*** ma9_1 has joined #openstack-keystone19:42
*** ma9_ has quit IRC19:45
lbragstadmfisch nice - glad you figured it out19:53
* lbragstad stumbles around to find coffee before the keystone/horizon meeting19:53
robcresswell\o/19:54
*** mvk has joined #openstack-keystone19:55
robcresswellayoung, cmurphy, david-lyle, dolphm, dstanek, edtubill, kenji-i, knikolla, lbragstad, r1chardj0n3s, rderose, robcresswell, stevemar19:57
robcresswellReminder about keystone meeting in #openstack-meeting-cp19:58
robcresswell(Just pinging because your names are registered on https://etherpad.openstack.org/p/keystone-horizon)19:58
*** pnavarro has quit IRC20:13
*** adrian_otto has joined #openstack-keystone20:24
openstackgerritSean Dague proposed openstack/keystone-specs master: Unified limits specification  https://review.openstack.org/44081520:32
*** chlong has joined #openstack-keystone20:36
*** prashkre has quit IRC20:44
*** catintheroof has quit IRC21:03
*** spilla has quit IRC21:06
*** chlong has quit IRC21:09
*** henrynash has joined #openstack-keystone21:19
*** edmondsw has quit IRC21:30
*** rarora has quit IRC21:30
*** edmondsw has joined #openstack-keystone21:31
*** dave-mccowan has quit IRC21:32
*** edmondsw has quit IRC21:35
*** marekd has quit IRC21:38
*** adrian_otto has quit IRC21:45
*** marekd has joined #openstack-keystone21:45
*** sjain has joined #openstack-keystone21:50
*** bjornar_ has quit IRC21:50
*** lucasxu has quit IRC21:54
*** aojea has quit IRC21:55
*** rarora has joined #openstack-keystone21:55
*** harlowja has quit IRC22:02
*** thorst has quit IRC22:03
*** lamt has quit IRC22:35
*** sjain has quit IRC22:41
*** henrynash has quit IRC22:43
*** guoshan has joined #openstack-keystone22:47
*** thorst has joined #openstack-keystone23:04
*** thorst has quit IRC23:08
*** thorst has joined #openstack-keystone23:14
*** thorst has quit IRC23:17
*** guoshan has quit IRC23:19
*** guoshan has joined #openstack-keystone23:20
*** adrian_otto has joined #openstack-keystone23:23
*** harlowja has joined #openstack-keystone23:24
*** guoshan has quit IRC23:24
*** MasterOfBugs has quit IRC23:30
*** edmondsw has joined #openstack-keystone23:31
*** edmondsw has quit IRC23:35
*** MasterOfBugs has joined #openstack-keystone23:35
*** openstack has joined #openstack-keystone23:42
*** thorst has joined #openstack-keystone23:47
*** niteshnarayanlal has joined #openstack-keystone23:56
*** thorst has quit IRC23:59
« Wednesday, 2017-03-29 Index Friday, 2017-03-31 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!