Thursday, 2017-09-28

« Wednesday, 2017-09-27 Index Friday, 2017-09-29 »
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware master: Updated from global requirements  https://review.openstack.org/50000500:04
*** thorst has joined #openstack-keystone00:07
*** thorst has quit IRC00:08
openstackgerritOpenStack Proposal Bot proposed openstack/pycadf master: Updated from global requirements  https://review.openstack.org/47013700:12
*** itlinux has quit IRC00:15
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware master: Updated from global requirements  https://review.openstack.org/50000500:23
openstackgerritOpenStack Proposal Bot proposed openstack/pycadf master: Updated from global requirements  https://review.openstack.org/47013700:30
*** Shunli has joined #openstack-keystone00:37
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware master: Updated from global requirements  https://review.openstack.org/50000500:38
openstackgerritOpenStack Proposal Bot proposed openstack/pycadf master: Updated from global requirements  https://review.openstack.org/47013700:46
*** dave-mccowan has joined #openstack-keystone00:47
*** zhurong has joined #openstack-keystone00:47
SamYaplenot having much luck figuring out why this is happening http://paste.openstack.org/show/622098/00:51
SamYapleit could be a redherring for the issue im having though00:53
*** thorst has joined #openstack-keystone01:09
*** panbalag has joined #openstack-keystone01:18
*** thorst has quit IRC01:23
*** thorst has joined #openstack-keystone01:23
*** thorst has quit IRC01:26
*** edmondsw has joined #openstack-keystone01:28
*** edmondsw has quit IRC01:32
*** panbalag has left #openstack-keystone01:36
*** dave-mccowan has quit IRC01:41
*** dave-mccowan has joined #openstack-keystone01:45
*** itlinux has joined #openstack-keystone01:51
*** tonytan4ever_brb has joined #openstack-keystone02:02
*** tonytan4ever has quit IRC02:02
*** dave-mcc_ has joined #openstack-keystone02:05
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware master: Updated from global requirements  https://review.openstack.org/50000502:05
*** dave-mccowan has quit IRC02:07
*** itlinux has quit IRC02:07
openstackgerritOpenStack Proposal Bot proposed openstack/pycadf master: Updated from global requirements  https://review.openstack.org/47013702:13
*** itlinux has joined #openstack-keystone02:14
*** itlinux has quit IRC02:15
*** thorst has joined #openstack-keystone02:26
*** itlinux has joined #openstack-keystone02:33
*** dave-mcc_ has quit IRC02:38
*** itlinux has quit IRC02:52
lbragstadSamYaple: what's the situation look like?02:56
lbragstadare you just seeing that for token validation?02:56
SamYaplelbragstad: `openstack server list --all` is hanging. I am getting that in the logs. it is from ksa_exceptions.NotFound02:57
SamYapleit doesnt happen always02:57
SamYapleand i can't reproduce it outside of the nova logs02:57
lbragstadhuh - weird02:58
SamYapleim suspecting a timeout issue... is it possible it presents that way?02:58
lbragstadi assume you can get a token as that user and validate it?02:58
SamYapleindeed02:58
lbragstadi'm not aware of timeouts coming through as 404s from ksa02:58
SamYapleif nova is failing to lookup, say, endpoints would it throw a NotFound? (i dont really understand when NotFound would be thrown)02:59
lbragstadcc mordred efried kmalloc ^02:59
lbragstadthe error message seems totally specific to token validation02:59
SamYapleright, but https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/exceptions/http.py#L14603:00
SamYaplewhat "resource" is it refering too?03:00
lbragstadthat might be something general03:01
lbragstadas in any keystone resource...03:01
lbragstadlet me check something03:01
lbragstadthat error string doesn't actually appear in the ksa source from what i can tell03:04
SamYapleits in keystonemiddleware03:04
lbragstaddo the keystone logs emit a 404?03:04
lbragstadoh03:04
SamYapleits just catching the exception NotFound from keystoneauth03:05
lbragstadaha03:06
lbragstadyeah03:06
lbragstadi wonder if the discovery bits are tripping somewhere?03:06
SamYaplewell thats just it, it doesnt happen always03:06
SamYapleas i said, *I* can't reproduce it, and it only exists in nova logs03:07
SamYaple`openstack server list` returns fine, `openstack server list --all` breaks most of the time, and sometimes I get that error03:07
*** jamesbenson has joined #openstack-keystone03:12
lbragstadthat's strange - this is the first i've heard of something like this with ksa+ksm03:12
lbragstadwhat version of ksa are you using?03:12
SamYaple3.2.0, but i did revert 2.18 or so (stable/ocata upper-constraints) because i know 3.2.0 had that fun discovery stuff03:14
SamYaplesame behaviour with both03:14
SamYaple(i need 3.2.0 for the latest version of shade which im using, but again, i tested without it)03:14
lbragstadhmm03:16
*** edmondsw has joined #openstack-keystone03:16
SamYaplei dont think keystone is broken to be honest. i did a few hours ago, but after walking through the code i think this is something else and this is a symptom03:16
*** jamesbenson has quit IRC03:16
SamYaplethe fact youve never heard or seen this kinda confirms that to me03:17
*** edmondsw has quit IRC03:21
SamYaplethanks for your insight. im going to call it for the night. ping me if you think of anything else lbragstad03:21
lbragstadSamYaple: will do - thanks for bringing it up03:21
lbragstadSamYaple: i'll sync with mordred tomorrow and see if he has any ideas03:22
mordredlbragstad, SamYaple: I'm not really here - but will help look at it tomorrow03:27
*** MeltedLux has quit IRC03:32
*** MeltedLux has joined #openstack-keystone03:39
*** tonytan4ever_brb has quit IRC03:40
*** tonytan4ever has joined #openstack-keystone03:40
*** links has joined #openstack-keystone03:44
*** tonytan4ever has quit IRC03:45
*** cfriesen_ has quit IRC03:50
*** rha has quit IRC03:52
*** rha has joined #openstack-keystone03:59
*** zhurong has quit IRC04:07
*** kornicameister has quit IRC04:24
*** itlinux has joined #openstack-keystone04:28
*** mani_ has joined #openstack-keystone04:37
mani_hi anyone can help04:38
mani_http://paste.openstack.org/show/622103/04:39
mani_Run Cmd: openstack endpoint list04:39
*** itlinux has quit IRC04:48
*** edmondsw has joined #openstack-keystone05:04
*** edmondsw has quit IRC05:09
*** aojea has joined #openstack-keystone05:33
*** dgonzalez has joined #openstack-keystone05:50
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware master: Updated from global requirements  https://review.openstack.org/50000505:52
*** cfriesen_ has joined #openstack-keystone05:55
*** cfriesen_ has quit IRC06:00
*** cfriesen__ has joined #openstack-keystone06:00
openstackgerritOpenStack Proposal Bot proposed openstack/pycadf master: Updated from global requirements  https://review.openstack.org/47013706:03
*** josecastroleon has joined #openstack-keystone06:11
*** erlon has quit IRC06:14
*** gagehugo has quit IRC06:14
*** pcaruana has joined #openstack-keystone06:19
*** markvoelker has quit IRC06:30
*** cfriesen__ has quit IRC06:37
*** zhurong has joined #openstack-keystone06:38
*** jamesbenson has joined #openstack-keystone06:48
*** gagehugo has joined #openstack-keystone06:49
*** jamesbenson has quit IRC06:52
*** edmondsw has joined #openstack-keystone06:52
*** edmondsw has quit IRC06:57
*** rcernin has joined #openstack-keystone07:00
*** andymccr has quit IRC07:07
*** asettle has quit IRC07:08
*** zsli_ has joined #openstack-keystone07:09
*** andymccr has joined #openstack-keystone07:09
*** asettle has joined #openstack-keystone07:10
*** asettle is now known as Guest382807:10
*** Shunli has quit IRC07:12
*** ioggstream has joined #openstack-keystone07:13
*** tonytan4ever has joined #openstack-keystone07:24
*** eglute has quit IRC08:14
*** eglute has joined #openstack-keystone08:14
*** markvoelker has joined #openstack-keystone08:31
*** Guest3828 is now known as asettle08:39
*** edmondsw has joined #openstack-keystone08:41
*** edmondsw has quit IRC08:45
*** markvoelker has quit IRC09:05
*** zsli_ has quit IRC09:27
*** tonytan4ever has quit IRC09:33
*** jamesbenson has joined #openstack-keystone09:56
*** jamesbenson has quit IRC10:00
*** markvoelker has joined #openstack-keystone10:02
*** masber has quit IRC10:06
*** masber has joined #openstack-keystone10:07
*** jmlowe has quit IRC10:10
*** zhurong has quit IRC10:27
*** edmondsw has joined #openstack-keystone10:29
*** edmondsw has quit IRC10:33
*** tonytan4ever has joined #openstack-keystone10:33
*** obre has quit IRC10:34
*** obre has joined #openstack-keystone10:34
*** markvoelker has quit IRC10:35
*** tonytan4ever has quit IRC10:38
*** raildo has joined #openstack-keystone10:47
*** Suramya has joined #openstack-keystone10:48
*** Suramya has quit IRC11:16
*** thorst has quit IRC11:16
*** markvoelker has joined #openstack-keystone11:32
*** mani_ has quit IRC11:39
*** jaosorior_sick is now known as jaosorior11:41
*** thorst has joined #openstack-keystone12:03
*** markvoelker has quit IRC12:06
*** markvoelker has joined #openstack-keystone12:18
*** mvk has quit IRC12:20
*** ioggstream has quit IRC12:21
*** ioggstream has joined #openstack-keystone12:24
*** jmlowe has joined #openstack-keystone12:28
efriedSamYaple lbragstad I took a quick look at that NotFound thing.12:29
efriedI don't believe it's ksa's NotFound exception.12:29
efriedI believe it's keystone's TokenNotFound exception.12:29
*** pcaruana has quit IRC12:31
*** edmondsw has joined #openstack-keystone12:31
efriedAre we perchance using TokenlessAuth and providing an unversioned auth_url?12:33
efriedMm, I take back the thing about ksa's NotFound.  That guy is involved.12:37
*** slunkad has quit IRC12:37
*** slunkad has joined #openstack-keystone12:42
*** rmascena has joined #openstack-keystone12:53
*** erlon has joined #openstack-keystone12:53
*** panbalag has joined #openstack-keystone12:54
*** dave-mccowan has joined #openstack-keystone12:54
*** raildo has quit IRC12:55
*** panbalag has left #openstack-keystone12:55
*** slunkad has quit IRC12:57
*** pcaruana has joined #openstack-keystone13:00
*** belmoreira has joined #openstack-keystone13:01
*** raildo has joined #openstack-keystone13:01
*** rmascena has quit IRC13:02
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware master: Updated from global requirements  https://review.openstack.org/50000513:02
*** belmoreira has quit IRC13:06
*** belmorei_ has joined #openstack-keystone13:06
*** belmorei_ has quit IRC13:07
*** belmoreira has joined #openstack-keystone13:07
openstackgerritOpenStack Proposal Bot proposed openstack/pycadf master: Updated from global requirements  https://review.openstack.org/47013713:10
*** chlong has quit IRC13:14
*** catintheroof has joined #openstack-keystone13:15
*** tonytan4ever has joined #openstack-keystone13:25
*** panbalag has joined #openstack-keystone13:31
*** jrist has quit IRC13:31
*** jaosorior has quit IRC13:34
*** jrist has joined #openstack-keystone13:35
kmARCHey guys, I'm still being driven crazy with cli auth for OpenID13:40
kmARCanyone has expertise in this?13:41
kmARCor an easy alternative (like, a user could get an access token from horizon, after logged in securely with openID)13:41
lbragstadkmARC: do you have a list of steps to recreate?13:44
kmARC- Installed Keycloak IDP. Configured, works well with Horizon.13:45
kmARC- Trying to use cli. No idea how to configure.13:45
kmARCThat's it basically :-)13:45
kmARCright now my problem is that the v3oidcpassword plugin somehow tries to POST login data to one of the keycloak endpoints, however keycloak reports that HEAD, GET, OPTIONS are the only allowed operations13:46
kmARCI can see that the auth part works - a token is generated. If I screw up the password, I would get an authn error13:47
kmARC*authn part works13:47
kmARCalso it works flawlessly through horizon so far.13:53
*** alex_xu has quit IRC13:54
kmARCIf my users had any means of getting a client_secret/token/whatever through horizon with which they could configure their openrc, that'd be also fine13:54
*** alex_xu has joined #openstack-keystone13:54
*** zhouyaguo has joined #openstack-keystone13:55
*** belmoreira has quit IRC13:57
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware master: Updated from global requirements  https://review.openstack.org/50000514:00
*** alex_xu has quit IRC14:02
*** links has quit IRC14:02
lbragstadkmARC: you're not following a writeup of some kind, are you?14:02
kmARCnow I tried to follow the Nash-Topol-Martinelli book, the error is the same14:03
*** belmoreira has joined #openstack-keystone14:03
kmARChttps://books.google.ch/books?id=MZcpCwAAQBAJ&pg=PA91&lpg=PA91&dq=5.5.3+testing+it+all+out&source=bl&ots=bhqVpsW3tw&sig=FROSoOn_RcydyvG6114j25QECtY&hl=en&sa=X&ved=0ahUKEwiwqJX_hcjWAhXmDZoKHQwjDPoQ6AEIKDAA#v=onepage&q=5.5.3%20testing%20it%20all%20out&f=false14:03
*** spzala has joined #openstack-keystone14:03
kmARCSection 5.5.3 Testing it all out14:04
kmARCit lists a short python snippet to try to authenticate with the v3 oidc password plugin14:04
kmARClbragstad do you have a recommendation on what writeup to follow?14:05
lbragstadkmARC: not really - that's why i was curious if you were following a specific one14:05
lbragstadstevemar: ^14:05
lbragstadi think knikolla uses keycloak at BU?14:06
*** slunkad has joined #openstack-keystone14:06
knikollalbragstad: not yet, but just did a POC for that.14:07
kmARCkeep in mind, it works beautifully through horizon14:08
*** jaosorior has joined #openstack-keystone14:08
knikolladidn't get time to test the cli yet.14:08
knikollaonly the horizon flow for now.14:08
kmARCright now I'm at a point where I'd rather implement a small service that gives my users a long lived token/clien_secret and configure keystone to accept that.14:08
kmARCknikolla: what kind of solution do you provide to your users with cli on the system where you have the horizon flow in place?14:10
*** shewless has quit IRC14:12
knikollakmARC: am not going to roll it out to users until I solve the CLI use case. so i'll keep playing around with it when i get more time.14:12
knikollakmARC: this is until app credentials get implemented, then there'll be a great story for that :)14:13
kmARCYou're my gest for a beer in Sydney if you solve it somehow :-D14:13
kmARCapp creds - if they are what I think they are - also works14:13
lbragstadyeah - that sounds like a great fit for app credentials14:13
knikollakmARC: that's the correct motivation for an engineer.14:13
lbragstadwe've got action items to update the specification and start the implementation this release14:14
kmARC:-S that's a bit too late for me :-)14:16
kmARCanyhow14:17
*** jrist has quit IRC14:17
kmARCnow I'm gitblameing the v3oidcpassword folks and hunt them down for more info :-)14:17
kmARCSo I haven't dug deep into horizon's code. But is my assumption correct that the horizon flow does _not_ use v3oidc{password,credentials} but it's all dispatched to apache2 mod_oidc?14:20
*** zhouyaguo has quit IRC14:24
*** zhouyaguo has joined #openstack-keystone14:24
*** cfriesen__ has joined #openstack-keystone14:31
kmARCstevemar: maybe?14:37
*** dave-mccowan has quit IRC14:39
*** chlong has joined #openstack-keystone14:39
*** spotz_ is now known as spotz14:40
-openstackstatus- NOTICE: The infra team is now taking Zuul v2 offline and bringing Zuul v3 online. Please see https://docs.openstack.org/infra/manual/zuulv3.html for more information, and ask us in #openstack-infra if you have any questions.14:42
*** dave-mccowan has joined #openstack-keystone14:44
*** slunkad has quit IRC14:47
*** slunkad has joined #openstack-keystone14:51
knikollakmARC: that is correct. it uses the apache mod14:56
*** slunkad has quit IRC14:56
kmARCAh okay, obviously the difference between the horizon flow and the cli flow is that the cli sends the username/password itself to IDP, while with horizon it's the user who enters it.14:56
knikollayep14:56
*** gyee has joined #openstack-keystone14:58
*** jrist has joined #openstack-keystone14:59
*** belmorei_ has joined #openstack-keystone14:59
*** belmoreira has quit IRC15:00
kmARCThis is what happens:15:05
kmARC- REQ: curl -g -i -X POST https://keycloak/auth/realms/<REALM>/protocol/openid-connect/token15:05
kmARC- an access_token is generated. this is how one talks to keycloak APIs (I've done it many times), with a Authorization: Bearer <token> header.15:05
kmARC- this means that the authentication works.15:05
kmARC- REQ: curl -g -i -X POST http://openstack-keystone/v3/OS-FEDERATION/identity_providers/<IDP>/protocols/openid/auth15:05
kmARC- this is then gives back the apache mod_oidc response, which includes the IDP authentication endpoint. In my case this is gonna be:15:05
kmARCLocation: https://keycloak/auth/realms/<REALM>/protocol/openid-connect/auth?response_type=code&15:05
kmARCscope=openid%20email%20profile&client_id=<CLIENT_ID>&state=gWTSWn1C9mPJFaOiQRvy2WYiiXI&redirect_uri=http%3A%2F%2Fopenstack-keystone%2Fv3%2FOS-FEDERATION%2Fidentity_providers%2F<IDP>%2Fprotocols%2Fopenid%2Fauth%2Fredirect&nonce=kH3H6X2n66Y83ca72hP_ZO5N5w_lK1onitb8SOQIPJk15:05
kmARC- then openstackclient issues a POST request to this location. keycloak gives back an error:15:05
kmARCRESP: [405] ... WildFly/10 Allow: HEAD, GET, OPTIONS X-Powered-By: Undertow/1 ...15:05
kmARCso this last step is supposed to be a form post.15:06
kmARCwhich is -  I guess - up to the idp how they implement it, isn't it?15:06
*** dave-mcc_ has joined #openstack-keystone15:07
kmARCOr is there any specification how it is supposed to be implemented in an ID provider? That would be strange, I mean what if an identity provider doesn't even let username/password auth but let's say face recogniton or such15:07
*** jamesbenson has joined #openstack-keystone15:07
*** dave-mccowan has quit IRC15:09
*** jaosorior has quit IRC15:12
*** spzala has quit IRC15:14
*** lamt has joined #openstack-keystone15:16
kmARCAccording to the RFC,15:19
kmARC"The authorization endpoint is used to interact with the resource15:19
kmARC   owner and obtain an authorization grant.  The authorization server15:19
kmARC   MUST first verify the identity of the resource owner.  The way in15:19
kmARC   which the authorization server authenticates the resource owner15:19
kmARC   (e.g., username and password login, session cookies) is beyond the15:19
kmARC   scope of this specification."15:19
kmARC...15:19
kmARC"  The authorization server MUST support the use of the HTTP "GET"15:19
kmARC   method [RFC2616] for the authorization endpoint and MAY support the15:19
kmARC   use of the "POST" method as well."15:19
kmARCSource: https://tools.ietf.org/html/rfc674915:19
kmARCSo it seems the implementation is bugous in the sense that it expects the auth endpoint to accept POST, however, according to the RFC, it's not required :-\15:20
*** zhouyaguo has quit IRC15:27
knikollajdennis is the keycloak expert15:33
*** jrist has quit IRC15:36
kmARCjdennis: helpme :-)15:42
*** cfriesen__ is now known as cfriesen15:42
jdenniskmARC: sorry I can't be of immediate assistance, I know keycloak well with SAML but hardly at all with openidc15:43
*** spzala has joined #openstack-keystone15:44
kmARC:-(15:45
*** edmondsw has quit IRC15:46
*** rcernin has quit IRC15:46
*** tonytan4ever_brb has joined #openstack-keystone15:47
jdenniskmARC: I suggest you try the keycloak user list: https://lists.jboss.org/mailman/listinfo/keycloak-user15:47
*** tonytan4ever has quit IRC15:47
kmallockmARC, jdennis: this might be something osc/keystoneauth is assuming15:47
kmallockeycloak might be doing the right (ish) thing here15:47
*** spzala has quit IRC15:48
kmallocwe may only support (currently) the use of IDPs that support post.15:49
kmallocand that is fine, it's not a bogus implementation, it's a narrow implementation that doesn't cover the whole spec.15:49
kmallocOIDC via CLI tools has always been very difficult15:50
kmallocsince OIDC (like most SSO tech) assumes a web browser15:50
jdenniskmalloc: so this is a command line issue and not browser?15:51
*** belmorei_ has quit IRC15:51
kmallocjdennis: if i'm reading it right, yes15:52
kmallocjdennis: looks like OSC is trying to POST to keycloak and keycloak says "hah, no, get or head"15:53
kmallocjdennis: i don't think this is a keycloak issue.15:54
kmalloc(well keycloak *could* support posts, but in this case doesn't seem to)15:54
kmallocit might be a config issue on keystone's side/mod_oidc15:55
jdenniskmalloc: I'd have to look at the code, the spec and review some recent posts on how KC handles tokens for command line access, but I can't jump into this atm15:55
kmallocjdennis: yeah i figured, just wanted to let you know it doesn't look like it's fundamentally a keycloak issue. it looks more on the Openstack side/config sided15:57
jdennisok15:58
kmARCkmalloc pls read my findings above. The RFC says IDP MAY support POST, however keycloak does not. It MUST support GET tho, therefore the correct implementation should use GET.15:58
jdenniskmalloc, kmARC: if someone wants to open a bug and assign it to me I'll try to look at it when I get the chance15:59
kmARCjdennis, sounds good, thanks.15:59
kmARCwill do tomorrow, for today I'm braindead.15:59
kmallockmARC: right like i said, it very well might be on the keystoneauth/osc side, we may have implemented a narrow form of supported oidc idps, we can expand, but it is likely that change is not going to be backportable directly and will become usable in queens (we can evaluate backports, but I can't commit to them at this point)16:01
*** sbezverk has quit IRC16:01
kmARCthis looks like a client issue, therefore I'm expecting the proposed bugfix to work backward-compatible with the Mitaka server - after all, the browser flow works. So I'm looking forward to the fix. I know python unfortunately well enough to volunteer to help with coding :-)16:03
*** itlinux has joined #openstack-keystone16:04
kmallockmARC: the issue is the way things are implement in openstackclient and keystoneauth16:04
kmallocthose are also locked to specific releases [sometimes]16:04
kmallocand distributions tend to bundle the releases16:05
kmallocit may require a much newer client and that could be incompatible if you're running on a system with other openstack-related-things (non-venv, etc)16:05
kmallocjust wanted to give you an FYI16:05
kmARCjdennis: I'm much more looking forward to a solution that works without the shady form post. like v3oidcauthcode or v3oidcaccesstoken. Let me know if you know how to configure keycloak to enable users to create `API tokens`, `API secrets` or something like that, with which they'd be able to issue a secret key that authenticates them into various service providers - if at all this is possible16:05
kmARCkmalloc, regarding versions, it's not a problem I think, if I document the means of accessing openstack APIs for my users, and it involves virtualenv, then it is what it is, they're still gonna be happy.16:06
kmallocwfm :)16:06
*** jrist has joined #openstack-keystone16:10
*** itlinux has quit IRC16:15
*** aselius has joined #openstack-keystone16:15
*** itlinux has joined #openstack-keystone16:29
SamYapleefried: its fernet tokens, and there should be no tokenless auth goign on16:30
kmARCjdennis: wait a sec. The `openstack` doesn't list any SAML related auth types... O.o16:30
*** slunkad has joined #openstack-keystone16:40
*** spzala has joined #openstack-keystone17:12
*** itlinux has quit IRC17:51
*** panbalag has quit IRC17:52
*** itlinux has joined #openstack-keystone17:53
*** edmondsw has joined #openstack-keystone18:01
*** edmondsw has quit IRC18:04
*** edmondsw has joined #openstack-keystone18:04
lbragstadgagehugo: o/18:08
lbragstaddid you have anything specific in mind for the last session here? https://etherpad.openstack.org/p/SYD-keystone-forum-sessions18:08
gagehugolbragstad other than what's on there not really18:09
gagehugowas just an idea in case we were lacking them18:09
lbragstadgagehugo: think we should propose a session specific to jwt?18:10
gagehugohmm18:11
gagehugodunno if that would fill an entire session?18:11
gagehugoit might be a good idea18:11
lbragstadprobably not?18:12
lbragstadthat might be something we can do solely in a specification18:12
lbragstadgagehugo: https://trello.com/c/25sBHXcM/14-write-up-a-specification-for-json-web-tokens18:12
gagehugoyeah18:12
*** aojea has quit IRC18:12
gagehugomaybe jwt as part of operator feedback?18:12
*** aojea has joined #openstack-keystone18:13
*** aojea has quit IRC18:17
*** aojea has joined #openstack-keystone18:18
*** itlinux has quit IRC18:20
*** itlinux has joined #openstack-keystone18:36
*** aojea has quit IRC18:37
*** aojea has joined #openstack-keystone18:38
*** ioggstream has quit IRC18:41
*** aojea has quit IRC18:42
*** aruna has joined #openstack-keystone18:52
arunaHi , created a new domain , user, project , role in devstack .But get this error while trying to do "openstack user list "18:53
arunaUser has no access to project  _populate_roles /opt/stack/keystone/keystone/token/providers/common.py:33918:53
arunaany help ?18:53
*** mvk has joined #openstack-keystone18:59
*** itlinux has quit IRC19:02
*** spzala has quit IRC19:10
*** spzala has joined #openstack-keystone19:15
*** spzala_ has joined #openstack-keystone19:17
*** aojea has joined #openstack-keystone19:17
*** spzala__ has joined #openstack-keystone19:18
*** spzala has quit IRC19:20
*** spzala__ has quit IRC19:21
*** spzala_ has quit IRC19:22
*** itlinux has joined #openstack-keystone19:25
*** spzala_ has joined #openstack-keystone19:25
*** spzala has joined #openstack-keystone19:27
*** spzala_ has quit IRC19:30
*** pcaruana has quit IRC19:31
lbragstadaruna: that users needs a role on a project in order to do that19:34
lbragstaddo you have an admin user available? devstack will provide one for you19:34
lbragstad(you see the credentials listed when devstack exits)19:34
*** spzala has quit IRC19:36
aruna@lbragstad : got it thanks19:37
lbragstadthis would be a good backport to get merged - https://review.openstack.org/#/c/504084/119:45
*** aruna has quit IRC19:51
*** chlong has quit IRC20:03
gagehugolbragstad is https://review.openstack.org/#/c/491574/13/keystone/common/utils.py ok for a comment?20:05
lbragstadgagehugo: oh - yes, that will work20:07
lbragstadthanks!20:07
gagehugoI'll fix the tags # after that merges20:07
lbragstadgagehugo: is there a unified stance on implementing HEAD for tag APIs?20:07
lbragstadwe have the whole "all GET methods should also support HEAD"20:07
lbragstadbut - we don't have those documented in the spec or policy20:08
lbragstadfor project tags,20:08
lbragstadi'm wondering if that will result in a bug asking for it to be added later?20:08
gagehugocould be, the controller/router has get_or_head20:08
*** catintheroof has quit IRC20:09
lbragstadoh - nice20:09
lbragstadso it's implemented already20:09
gagehugoyeah I think this was brought up earlier20:11
gagehugoI don't think the api-ref says explicitly that you can do HEAD20:11
gagehugobut it's implemented20:12
lbragstadgagehugo: does the API ref for project tags have something against doing HEAD?20:12
lbragstador implementing HEAD?20:12
gagehugohttp://docs-draft.openstack.org/96/472396/18/check/gate-keystone-api-ref/b38e869//api-ref/build/html/v3/index.html#project-tags20:13
lbragstadah - we should modify that patch so that it documents head, too20:15
gagehugosure20:15
lbragstad1.) because all keystone v3 GET methods should also support HEAD20:15
lbragstad2.) the work is already done ;)20:15
*** spzala has joined #openstack-keystone20:19
*** thorst has quit IRC20:26
*** itlinux has quit IRC20:30
*** itlinux has joined #openstack-keystone20:33
*** jamesbenson has quit IRC20:35
*** raildo has quit IRC20:42
*** rcernin has joined #openstack-keystone20:42
*** thorst has joined #openstack-keystone20:43
*** thorst has quit IRC21:00
*** thorst has joined #openstack-keystone21:00
*** spzala has quit IRC21:05
gagehugolbragstad thanks for the reviews!21:07
lbragstadgagehugo: yep! stuff looks real good21:08
lbragstadgagehugo: most of my comments are style things21:08
lbragstadotherwise the code looks really clean, good work21:08
lbragstadcc lamt ^21:09
lbragstadand the rest of the AT&T team21:09
*** thorst has quit IRC21:11
gagehugowill do21:11
gagehugoI like that removing the v2 stuff makes this easier21:11
gagehugospent more time than I liked getting the v2 tests to pass :(21:12
lbragstadgagehugo: yeah... sorry about that =/21:15
lbragstadi spent an entire flight getting v2 auth ripped out and refactoring tests, i feel your pain21:16
gagehugoheh21:16
*** itlinux has quit IRC21:26
*** thorst has joined #openstack-keystone21:32
*** itlinux has joined #openstack-keystone21:35
*** thorst has quit IRC21:36
*** itlinux has quit IRC21:37
*** chlong has joined #openstack-keystone21:41
*** aojea has quit IRC21:45
openstackgerritGage Hugo proposed openstack/keystone master: Add JSON schema validation for project tags  https://review.openstack.org/48448322:05
gagehugoI think there's some zuul funny business22:06
gagehugolbragstad I'm gonna put some depends on for these patches instead of rebasing them all on each other22:06
*** thorst has joined #openstack-keystone22:13
*** thorst has quit IRC22:17
*** r-daneel has joined #openstack-keystone22:18
*** thorst has joined #openstack-keystone22:23
*** catintheroof has joined #openstack-keystone22:24
*** r-daneel has quit IRC22:29
openstackgerritGage Hugo proposed openstack/keystone-specs master: Update project-tags spec  https://review.openstack.org/50833922:29
*** thorst has quit IRC22:35
*** thorst has joined #openstack-keystone22:36
*** lbragstad has quit IRC22:37
openstackgerritGage Hugo proposed openstack/keystone master: Add policy for project tags  https://review.openstack.org/48675722:41
*** thorst has quit IRC22:42
*** thorst has joined #openstack-keystone22:45
*** thorst has quit IRC22:58
*** thorst has joined #openstack-keystone22:58
*** masber has quit IRC23:02
*** jmlowe has quit IRC23:19
*** itlinux has joined #openstack-keystone23:25
*** itlinux has quit IRC23:31
*** thorst has quit IRC23:31
*** markvoelker has quit IRC23:37
*** thorst has joined #openstack-keystone23:39
*** jmlowe has joined #openstack-keystone23:42
*** thorst has quit IRC23:54
*** thorst has joined #openstack-keystone23:55
*** stevelle001 has joined #openstack-keystone23:57
« Wednesday, 2017-09-27 Index Friday, 2017-09-29 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!