| *** dave-mccowan has quit IRC | 00:00 | |
| *** catintheroof has quit IRC | 00:00 | |
| *** dave-mccowan has joined #openstack-keystone | 00:00 | |
| *** catintheroof has joined #openstack-keystone | 00:00 | |
| *** catintheroof has quit IRC | 00:04 | |
| *** edmondsw has joined #openstack-keystone | 00:13 | |
| *** markvoelker_ has quit IRC | 00:17 | |
| *** edmondsw has quit IRC | 00:18 | |
| *** wasmum has quit IRC | 00:19 | |
| *** markvoelker has joined #openstack-keystone | 00:25 | |
| *** markvoelker has quit IRC | 00:29 | |
| *** markvoelker has joined #openstack-keystone | 00:34 | |
| *** markvoelker has quit IRC | 00:39 | |
| *** markvoelker has joined #openstack-keystone | 00:43 | |
| *** aojea has joined #openstack-keystone | 00:47 | |
| *** markvoelker has quit IRC | 00:48 | |
| *** AlexeyAbashkin has joined #openstack-keystone | 00:48 | |
| *** aojea has quit IRC | 00:52 | |
| *** AlexeyAbashkin has quit IRC | 00:52 | |
| *** markvoelker has joined #openstack-keystone | 00:52 | |
| *** markvoelker has quit IRC | 00:57 | |
| *** kiswe has joined #openstack-keystone | 00:58 | |
| *** kiswe has left #openstack-keystone | 00:58 | |
| *** edmondsw has joined #openstack-keystone | 01:00 | |
| *** markvoelker has joined #openstack-keystone | 01:01 | |
| *** Shunli has joined #openstack-keystone | 01:03 | |
| *** markvoelker has quit IRC | 01:06 | |
| *** markvoelker has joined #openstack-keystone | 01:11 | |
| *** markvoelker has quit IRC | 01:15 | |
| *** catintheroof has joined #openstack-keystone | 01:19 | |
| *** markvoelker has joined #openstack-keystone | 01:20 | |
| *** catintheroof has quit IRC | 01:21 | |
| *** AlexeyAbashkin has joined #openstack-keystone | 01:28 | |
| *** AlexeyAbashkin has quit IRC | 01:32 | |
| *** zsli_ has joined #openstack-keystone | 01:41 | |
| *** links has joined #openstack-keystone | 01:44 | |
| *** Shunli has quit IRC | 01:45 | |
| *** links is now known as Jaison|away | 01:45 | |
| *** aojea has joined #openstack-keystone | 01:48 | |
| *** chlong has joined #openstack-keystone | 01:49 | |
| *** daidv_ has joined #openstack-keystone | 01:52 | |
| *** aojea has quit IRC | 01:52 | |
| *** markvoelker has quit IRC | 01:53 | |
| *** markvoelker has joined #openstack-keystone | 01:59 | |
| *** markvoelker has quit IRC | 02:03 | |
| *** masber has quit IRC | 02:07 | |
| *** markvoelker has joined #openstack-keystone | 02:08 | |
| *** markvoelker has quit IRC | 02:12 | |
| *** markvoelker has joined #openstack-keystone | 02:17 | |
| *** markvoelker has quit IRC | 02:21 | |
| *** markvoelker has joined #openstack-keystone | 02:26 | |
| *** AlexeyAbashkin has joined #openstack-keystone | 02:27 | |
| *** markvoelker has quit IRC | 02:30 | |
| *** AlexeyAbashkin has quit IRC | 02:31 | |
| *** markvoelker has joined #openstack-keystone | 02:35 | |
| *** jhesketh has quit IRC | 02:35 | |
| *** jhesketh has joined #openstack-keystone | 02:38 | |
| *** markvoelker has quit IRC | 02:40 | |
| *** wes_dillingham has quit IRC | 02:43 | |
| *** markvoelker has joined #openstack-keystone | 02:44 | |
| *** lbragstad has joined #openstack-keystone | 02:45 | |
| *** ChanServ sets mode: +o lbragstad | 02:45 | |
| lbragstad | aahh: the services put keystonemiddleware in their wsgi pipeline and it processes the request as it comes through the service | 02:46 |
|---|---|---|
| BenderRodriguez | Hello everyone | 02:46 |
| SamYaple | o/ BenderRodriguez | 02:47 |
| *** aojea has joined #openstack-keystone | 02:49 | |
| *** masber has joined #openstack-keystone | 02:49 | |
| *** markvoelker has quit IRC | 02:49 | |
| SamYaple | lbragstad: recently (today!) i got openstack/loci autopublishing to images to dockerhub on each commit to openstack/loci. my next step is getting it to publish when a commit merges to keystone/glance/cinder/nova etc. this requires adding a job to the post pipeline of the projects in question. cinder was ok with that https://review.openstack.org/#/c/512398/ | 02:49 |
| SamYaple | is this somethign keystone would also +1 ? (infra specifically asked that, at least at this time, the projects ptls +1 a patch like this) | 02:50 |
| SamYaple | it doesnt affect the keystone gates in anyway since its a post job, so this is more of a social issue than a technical one | 02:50 |
| lbragstad | SamYaple: oh - nice | 02:51 |
| lbragstad | SamYaple: i don't think i have a problem with it - are you free tomorrow during the keystone meeting? | 02:52 |
| SamYaple | i can make myself free, yes | 02:52 |
| SamYaple | the job for cinder builds and pushes to dockerhub in under 5 minutes :) completely usable image afterward | 02:53 |
| *** markvoelker has joined #openstack-keystone | 02:53 | |
| *** aojea has quit IRC | 02:53 | |
| lbragstad | awesome! | 02:54 |
| lbragstad | SamYaple: https://etherpad.openstack.org/p/keystone-weekly-meeting | 02:54 |
| SamYaple | awesome, thanks lbragstad | 02:58 |
| lbragstad | SamYaple: no problem - thanks for checking | 02:58 |
| SamYaple | im on the fence on whether a project should be required to consult, in this case, keystone to add something like this to the post pipeline, or it should be allowed | 02:58 |
| SamYaple | for now, im just going to be consulting with the projects, see if anyone has a concern | 02:59 |
| SamYaple | im actually more concerned docker will throttle/block it than anything else lol. but if that happens, we can switch to just publishing on tagged versions of projects | 03:00 |
| *** zsli_ is now known as Shunli | 03:03 | |
| openstackgerrit | Lance Bragstad proposed openstack/keystone master: Implement backend logic for system roles https://review.openstack.org/507994 | 03:13 |
| openstackgerrit | Lance Bragstad proposed openstack/keystone master: Implement manager logic for user+system roles https://review.openstack.org/512468 | 03:13 |
| lbragstad | SamYaple: I'd be pretty tough to have gripes about someone doing something in post, I'd think | 03:13 |
| lbragstad | It'd* | 03:13 |
| SamYaple | my thoughts as well. but we will go the political route first :) | 03:14 |
| *** jmlowe has joined #openstack-keystone | 03:17 | |
| *** Jaison|away is now known as links | 03:23 | |
| *** dave-mccowan has quit IRC | 03:24 | |
| *** AlexeyAbashkin has joined #openstack-keystone | 03:26 | |
| *** markvoelker has quit IRC | 03:27 | |
| *** AlexeyAbashkin has quit IRC | 03:31 | |
| openstackgerrit | Merged openstack/keystone master: Move auth header definitions into authorization https://review.openstack.org/508411 | 03:33 |
| *** nicolasbock has quit IRC | 03:41 | |
| *** mtreinish has quit IRC | 03:42 | |
| *** mtreinish has joined #openstack-keystone | 03:42 | |
| *** masber has quit IRC | 03:46 | |
| *** aojea has joined #openstack-keystone | 03:49 | |
| *** jmlowe has quit IRC | 03:52 | |
| *** aojea has quit IRC | 03:54 | |
| *** lbragstad has quit IRC | 03:58 | |
| *** jmlowe has joined #openstack-keystone | 04:01 | |
| *** sbezverk has quit IRC | 04:06 | |
| *** markvoelker has joined #openstack-keystone | 04:17 | |
| *** markvoelker has quit IRC | 04:22 | |
| *** AlexeyAbashkin has joined #openstack-keystone | 04:26 | |
| *** markvoelker has joined #openstack-keystone | 04:27 | |
| *** AlexeyAbashkin has quit IRC | 04:31 | |
| *** markvoelker has quit IRC | 04:33 | |
| *** markvoelker has joined #openstack-keystone | 04:34 | |
| *** jmlowe has quit IRC | 04:48 | |
| *** aojea has joined #openstack-keystone | 04:50 | |
| *** aojea has quit IRC | 04:55 | |
| *** cfriesen has quit IRC | 05:10 | |
| *** edmondsw has quit IRC | 05:17 | |
| *** aojea has joined #openstack-keystone | 05:51 | |
| *** markvoelker has quit IRC | 05:54 | |
| *** aojea has quit IRC | 05:56 | |
| *** Suramya has joined #openstack-keystone | 05:58 | |
| *** josecastroleon has joined #openstack-keystone | 06:07 | |
| *** masber has joined #openstack-keystone | 06:21 | |
| *** magicboiz has joined #openstack-keystone | 06:34 | |
| *** aojea has joined #openstack-keystone | 06:38 | |
| *** magicboiz has quit IRC | 06:39 | |
| *** magicboiz has joined #openstack-keystone | 06:39 | |
| *** pcaruana has joined #openstack-keystone | 06:44 | |
| *** aojea has quit IRC | 06:47 | |
| *** markvoelker has joined #openstack-keystone | 06:50 | |
| *** ioggstream has joined #openstack-keystone | 06:51 | |
| openstackgerrit | Colleen Murphy proposed openstack/keystone-specs master: (WIP) Repropose application credentials to queens https://review.openstack.org/512505 | 06:56 |
| openstackgerrit | Nam Nguyen Hoai proposed openstack/python-keystoneclient master: Use generic user for both zuul v2 and v3 https://review.openstack.org/512509 | 06:59 |
| *** namnh has joined #openstack-keystone | 07:01 | |
| *** edmondsw has joined #openstack-keystone | 07:01 | |
| *** edmondsw has quit IRC | 07:06 | |
| *** tesseract has joined #openstack-keystone | 07:16 | |
| openstackgerrit | Dinesh Bhor proposed openstack/keystoneauth master: Add mask_password to sanitize sensitive data https://review.openstack.org/512522 | 07:20 |
| openstackgerrit | Nam Nguyen Hoai proposed openstack/python-keystoneclient master: Use generic user for both zuul v2 and v3 https://review.openstack.org/512509 | 07:29 |
| *** AlexeyAbashkin has joined #openstack-keystone | 07:34 | |
| *** josecastroleon has quit IRC | 07:37 | |
| *** aojea has joined #openstack-keystone | 07:44 | |
| *** aojea has quit IRC | 07:48 | |
| *** magicboiz has quit IRC | 08:41 | |
| *** aojea has joined #openstack-keystone | 08:44 | |
| *** aojea has quit IRC | 08:49 | |
| *** edmondsw has joined #openstack-keystone | 08:50 | |
| *** edmondsw has quit IRC | 08:54 | |
| *** markvoelker has quit IRC | 09:03 | |
| *** markvoelker has joined #openstack-keystone | 09:04 | |
| *** josecastroleon has joined #openstack-keystone | 09:08 | |
| *** Shunli has quit IRC | 09:29 | |
| *** aojea has joined #openstack-keystone | 09:45 | |
| *** aojea has quit IRC | 09:50 | |
| *** magicboiz has joined #openstack-keystone | 10:06 | |
| *** magicboiz has quit IRC | 10:11 | |
| *** magicboiz has joined #openstack-keystone | 10:18 | |
| *** Suramya_ has joined #openstack-keystone | 10:18 | |
| *** mvk has quit IRC | 10:19 | |
| *** openstackgerrit has quit IRC | 10:33 | |
| *** namnh has quit IRC | 10:36 | |
| *** edmondsw has joined #openstack-keystone | 10:38 | |
| *** edmondsw has quit IRC | 10:42 | |
| *** tesseract has quit IRC | 10:43 | |
| *** tesseract has joined #openstack-keystone | 10:43 | |
| *** aojea has joined #openstack-keystone | 10:46 | |
| *** mvk has joined #openstack-keystone | 10:50 | |
| *** aojea has quit IRC | 10:50 | |
| *** nicolasbock has joined #openstack-keystone | 11:02 | |
| *** ioggstream has quit IRC | 11:11 | |
| *** raildo has joined #openstack-keystone | 11:14 | |
| *** nicolasbock has quit IRC | 11:23 | |
| *** nicolasbock has joined #openstack-keystone | 11:35 | |
| *** chlong has quit IRC | 12:01 | |
| *** openstackgerrit has joined #openstack-keystone | 12:03 | |
| openstackgerrit | Suramya proposed openstack/keystone master: Reorganize api-ref: v3 domains https://review.openstack.org/505135 | 12:04 |
| *** edmondsw has joined #openstack-keystone | 12:09 | |
| *** jmlowe has joined #openstack-keystone | 12:09 | |
| *** wes_dillingham has joined #openstack-keystone | 12:11 | |
| *** ioggstream has joined #openstack-keystone | 12:14 | |
| *** dave-mccowan has joined #openstack-keystone | 12:22 | |
| *** aojea has joined #openstack-keystone | 12:47 | |
| *** panbalag has joined #openstack-keystone | 12:48 | |
| *** panbalag has left #openstack-keystone | 12:49 | |
| *** aojea has quit IRC | 12:52 | |
| *** jmlowe has quit IRC | 13:04 | |
| *** jmlowe has joined #openstack-keystone | 13:09 | |
| *** thorst has joined #openstack-keystone | 13:14 | |
| *** jmlowe has quit IRC | 13:21 | |
| *** lbragstad has joined #openstack-keystone | 13:22 | |
| *** ChanServ sets mode: +o lbragstad | 13:22 | |
| magicboiz | ayoung: some days ago I did ask on x509 end-user auth with horizon/keystone. Could you provide some example/doc/URL to check? | 13:34 |
| magicboiz | ayoung: you answers that mod_ssl was the solution, but I didn't get it.... :( | 13:35 |
| ayoung | magicboiz, you use federation... | 13:35 |
| ayoung | magicboiz, you can use the various mods and variables listed here with Federation http://www.freeipa.org/page/Environment_Variables | 13:36 |
| ayoung | magicboiz, figure out what in the cert you want to use as the username: probably a DN or CN or something | 13:36 |
| magicboiz | ayoung: ok, I understand that point, the CERT DN/CN must be built with some specific info, but, how do I get Horizon/Keystone to work with this? | 13:38 |
| ayoung | magicboiz, have you read up on Federation? | 13:38 |
| magicboiz | ayoung: also, is this complatible with multi-domain? | 13:38 |
| ayoung | https://docs.openstack.org/security-guide/identity/federated-keystone.html talks about how to do it with mod_shib. Replace that with mod_ssl. | 13:39 |
| magicboiz | ayoung: I'd read https://docs.openstack.org/security-guide/identity/federated-keystone.html | 13:39 |
| ayoung | magicboiz, and yes, multi domain is pretty much essential | 13:39 |
| ayoung | magicboiz, I don't have all the ssl options for you, but when I did it with mod_nss (like ssl) the config looked like this | 13:39 |
| ayoung | magicboiz, sorry, when I did it with Kerberos it looked like this | 13:41 |
| ayoung | https://github.com/admiyo/rippowam/blob/master/roles/packstack/templates/keystone-federation.conf.j2 | 13:41 |
| josecastroleon | hi ayoung | 13:41 |
| ayoung | magicboiz, I know that there was a whole push for tokenless auth from service users that used mod_ssl, and that did Federation, so look that up | 13:41 |
| ayoung | !]NO ME LO PUEDO CREER! | 13:42 |
| openstack | ayoung: Error: Spurious "]". You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands. | 13:42 |
| ayoung | josecastroleon, como te va! | 13:42 |
| *** chlong has joined #openstack-keystone | 13:42 | |
| josecastroleon | updating services at CERN cloud | 13:42 |
| josecastroleon | i've just seen your comments about x509 auth | 13:42 |
| josecastroleon | we are not using the federation channel at the moment for authentication methods | 13:43 |
| josecastroleon | we have a different entry point for kerberos or x509 auth | 13:43 |
| magicboiz | ayoung, josecastroleon : and what about horizon? I understand that I have to configure apache+mod_ssl as ayoung indicates, but what about horizon? | 13:44 |
| ayoung | josecastroleon, what do you mean by entrypoint? | 13:45 |
| magicboiz | ayoung, josecastroleon : and another issue I'm facinf is the classic Load-Balancer in front of keystone/horizon servers, which intercepts SSL traffic.... :( | 13:45 |
| ayoung | magicboiz, so long as you can get the load balancer to forward the variables to the wsgi app, you are OK | 13:46 |
| josecastroleon | magicboiz: use tunneling in the loadbalancer | 13:46 |
| josecastroleon | it will pass also the certificates through | 13:46 |
| josecastroleon | we have /admin /main for normal user/pass token authentication | 13:46 |
| josecastroleon | we have /krb for kerberos | 13:47 |
| josecastroleon | and then the entry point has KrbMethodNegotiate On | 13:47 |
| josecastroleon | and a /x509 entry that has SSLVerifyClient require in mod_ssl | 13:47 |
| magicboiz | ayoung, josecastroleon : ok | 13:48 |
| *** aojea has joined #openstack-keystone | 13:48 | |
| ayoung | josecastroleon, you are not using Federation for Kerb or X509 though, rioght? | 13:50 |
| josecastroleon | ayoung: not yet | 13:50 |
| josecastroleon | the client plugin does not work | 13:51 |
| ayoung | I'm trying to move people away from that. Everything should be Federated, so your config is Good, vbut magicboiz should do it infront of /OS-FEDEARTION/<idp>/X509 instead | 13:51 |
| josecastroleon | ayoung: and then protect the endpoint in apache with mod_ssl | 13:52 |
| ayoung | magicboiz, to set up federation requires 3 calls to Keystone: create Idp, create mapping, create protocol | 13:52 |
| ayoung | once those three have been made, you can test by using Curl against the URL it would generate to see if you get a 404 (not set up right) or a 403 (Un authed) | 13:52 |
| ayoung | assumign you get to the unauthed state, you then set up the HTTPD conf in front of it. | 13:53 |
| ayoung | We ansiblized this here: | 13:53 |
| *** aojea has quit IRC | 13:53 | |
| *** catintheroof has joined #openstack-keystone | 13:53 | |
| ayoung | https://github.com/admiyo/rippowam/blob/master/roles/packstack/tasks/keystone-sssd.yml | 13:54 |
| magicboiz | ayoung: I'll check it, thank you very much. I'm not an expert on keystone so I'll have to test it step by step.... | 13:58 |
| ayoung | magicboiz, right. I think I have some troubleshooting you can use...1 sec | 13:59 |
| magicboiz | ayoung: also, I'm testing all things with devstack (instead of packstack or ansible).... I don't know whether this is valid or not... | 13:59 |
| ayoung | magicboiz, https://adam.younglogic.com/2015/03/key-fed-lookup-redux/ was roughly my method | 14:00 |
| ayoung | devstack is fine. It does apache for the Webserver, and you can modify the config | 14:00 |
| *** cfriesen has joined #openstack-keystone | 14:01 | |
| *** sbezverk has joined #openstack-keystone | 14:01 | |
| josecastroleon | ayoung: nice | 14:02 |
| ayoung | josecastroleon, thanks. I am mostly worried about how people do LDAP. I really want that to stop being directly wired into Keystone, and instead done via federation, but with out SSSD/mod_lookup_ideneity, we don;'t yet have a module that will handle it | 14:03 |
| ayoung | LDAP really should be fronted via SAML or OpenIDC for use on the web these days. | 14:03 |
| josecastroleon | ayoung: fully agree, i may need to revisit our config ;) | 14:05 |
| ayoung | josecastroleon, it might be a pretty big data migration effort if the userids don't line up, and Federation does the whole autogenerated approach that I so dislike | 14:06 |
| *** catintheroof has quit IRC | 14:11 | |
| openstackgerrit | Lance Bragstad proposed openstack/keystone master: Implement manager logic for user+system roles https://review.openstack.org/512468 | 14:20 |
| openstackgerrit | Lance Bragstad proposed openstack/keystone master: Implement manager logic for group+system roles https://review.openstack.org/512641 | 14:20 |
| *** dave-mccowan has quit IRC | 14:21 | |
| *** chlong has quit IRC | 14:34 | |
| *** dave-mccowan has joined #openstack-keystone | 14:37 | |
| *** josecastroleon has quit IRC | 14:40 | |
| *** links has quit IRC | 14:41 | |
| *** josecastroleon has joined #openstack-keystone | 14:42 | |
| *** chlong has joined #openstack-keystone | 14:48 | |
| *** catintheroof has joined #openstack-keystone | 14:51 | |
| *** catintheroof has quit IRC | 15:03 | |
| *** aloga has quit IRC | 15:04 | |
| *** aloga has joined #openstack-keystone | 15:04 | |
| *** wes_dillingham has quit IRC | 15:17 | |
| *** markvoelker has quit IRC | 15:17 | |
| *** markvoelker has joined #openstack-keystone | 15:18 | |
| *** josecastroleon has quit IRC | 15:19 | |
| *** markvoelker has quit IRC | 15:22 | |
| *** josecastroleon has joined #openstack-keystone | 15:23 | |
| *** AlexeyAbashkin has quit IRC | 15:30 | |
| *** AlexeyAbashkin has joined #openstack-keystone | 15:30 | |
| *** clenimar has quit IRC | 15:32 | |
| *** clenimar has joined #openstack-keystone | 15:35 | |
| *** AlexeyAbashkin has quit IRC | 15:41 | |
| *** aojea has joined #openstack-keystone | 15:50 | |
| *** aojea has quit IRC | 15:54 | |
| *** pcaruana has quit IRC | 16:01 | |
| *** josecastroleon has quit IRC | 16:03 | |
| *** josecastroleon has joined #openstack-keystone | 16:07 | |
| openstackgerrit | Gage Hugo proposed openstack/keystone master: Add JSON schema validation for project tags https://review.openstack.org/484483 | 16:29 |
| openstackgerrit | Gage Hugo proposed openstack/keystone master: Add policy for project tags https://review.openstack.org/486757 | 16:29 |
| openstackgerrit | Gage Hugo proposed openstack/keystone master: Implement backend logic for project tags https://review.openstack.org/499726 | 16:29 |
| openstackgerrit | Gage Hugo proposed openstack/keystone master: Implement project tags logic into manager https://review.openstack.org/499727 | 16:29 |
| openstackgerrit | Gage Hugo proposed openstack/keystone master: Implement project tags API controller and router https://review.openstack.org/499728 | 16:29 |
| *** josecastroleon has quit IRC | 16:29 | |
| *** josecastroleon has joined #openstack-keystone | 16:32 | |
| *** mvk has quit IRC | 16:38 | |
| *** ioggstream has quit IRC | 16:42 | |
| *** aojea has joined #openstack-keystone | 16:50 | |
| *** aojea has quit IRC | 16:55 | |
| *** tesseract has quit IRC | 17:02 | |
| *** aadams has joined #openstack-keystone | 17:17 | |
| *** AlexeyAbashkin has joined #openstack-keystone | 17:22 | |
| *** AlexeyAbashkin has quit IRC | 17:24 | |
| *** mvk has joined #openstack-keystone | 17:26 | |
| *** mike92 has joined #openstack-keystone | 17:36 | |
| *** mike92 has quit IRC | 17:44 | |
| lbragstad | interesting spec for folks to review if they have time - https://review.openstack.org/#/c/505345/1 | 17:44 |
| lbragstad | curious to get feedback there | 17:45 |
| *** mvk has quit IRC | 17:48 | |
| *** mike92 has joined #openstack-keystone | 17:49 | |
| *** josecastroleon has quit IRC | 17:49 | |
| *** mvk has joined #openstack-keystone | 17:49 | |
| *** aojea has joined #openstack-keystone | 17:51 | |
| *** josecastroleon has joined #openstack-keystone | 17:52 | |
| *** aojea has quit IRC | 17:56 | |
| lbragstad | ping ayoung, breton, cmurphy, dstanek, edmondsw, gagehugo, henrynash, hrybacki, knikolla, lamt, lbragstad, lwanderley, kmalloc, rderose, rodrigods, samueldmq, spilla, aselius, dpar, SamYaple | 17:56 |
| lbragstad | five minute pre-meeting ping | 17:56 |
| *** ioggstream has joined #openstack-keystone | 18:10 | |
| *** ioggstream has quit IRC | 18:32 | |
| *** josecastroleon has quit IRC | 18:35 | |
| *** aojea has joined #openstack-keystone | 18:38 | |
| *** josecastroleon has joined #openstack-keystone | 18:38 | |
| *** aojea has quit IRC | 18:47 | |
| SamYaple | lbragstad: https://review.openstack.org/#/c/512793/ | 18:49 |
| SamYaple | thanks again everyone | 18:49 |
| lbragstad | SamYaple: thanks | 18:52 |
| lbragstad | #startmeeting keystone-office-hours | 19:04 |
| openstack | Meeting started Tue Oct 17 19:04:19 2017 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot. | 19:04 |
| openstack | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 19:04 |
| *** openstack changes topic to " (Meeting topic: keystone-office-hours)" | 19:04 | |
| *** dave-mccowan has quit IRC | 19:04 | |
| openstack | The meeting name has been set to 'keystone_office_hours' | 19:04 |
| lbragstad | alrighty - who's around? | 19:04 |
| *** ChanServ changes topic to "Queens release schedule: https://releases.openstack.org/queens/schedule.html | Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting | Bugs that need triaging: http://bit.ly/2iJuN1h | Trello: https://trello.com/b/5F0h9Hoe/keystone" | 19:04 | |
| cmurphy | o/ | 19:04 |
| knikolla | o/ | 19:04 |
| lbragstad | awesome - preferences on what you want to do? | 19:05 |
| lbragstad | spec review, an implementation review, something focused, bugs? | 19:05 |
| knikolla | hmmm.. any priorities? | 19:06 |
| cmurphy | did my office hours dashboard break or are there no bug related patches in gerrit right now? | 19:06 |
| lbragstad | or we can divide and conquer | 19:06 |
| lbragstad | cmurphy: there aren't many patches that close bugs | 19:06 |
| lbragstad | we worked through most of them, or they need fixing | 19:06 |
| lbragstad | knikolla: anything from the meeting :) | 19:06 |
| * lbragstad fetches his new favorite link | 19:07 | |
| lbragstad | #link https://trello.com/b/5F0h9Hoe/keystone?menu=filter&filter=due:week | 19:07 |
| * cmurphy will go look at project tag things | 19:07 | |
| lbragstad | awesome - that'd be good | 19:08 |
| lbragstad | knikolla: kmalloc would be good to get your opinions on https://review.openstack.org/#/c/505345/1 | 19:09 |
| knikolla | looking | 19:09 |
| gagehugo | o/ | 19:10 |
| * knikolla will review specs then. if there's any implementation patches that need more eyes give me a ping. | 19:10 | |
| gagehugo | sorry was reading jwt | 19:10 |
| lbragstad | gagehugo: by all means - keep reading JWT | 19:11 |
| gagehugo | the spec looks good | 19:11 |
| lbragstad | jamielennox: i assume this can be abandon now - https://review.openstack.org/#/c/248524/ ? | 19:16 |
| lbragstad | lamt: you had an interest in the ksm+oslo.cache work didn't you? | 19:18 |
| lbragstad | lamt: i just stumbled across https://review.openstack.org/#/c/268664/ | 19:18 |
| cfriesen | lbragstad: In https://review.openstack.org/#/c/505345/1/specs/keystone/queens/auth-response-restrict-catalog.rs you talk about "getting Morgan's take on this". I don't know who that is. :) | 19:20 |
| lbragstad | cfriesen: oh - i'm sorry | 19:20 |
| lbragstad | Morgan == kmalloc | 19:20 |
| cfriesen | thanks | 19:20 |
| lbragstad | cfriesen: yep! spec looks good | 19:20 |
| *** clenimar has quit IRC | 19:21 | |
| cfriesen | I'll try and respin shortly | 19:22 |
| cfriesen | hopefully by tomorrow. | 19:22 |
| *** markvoelker has joined #openstack-keystone | 19:26 | |
| *** dave-mccowan has joined #openstack-keystone | 19:29 | |
| kmalloc | lbragstad: hehe | 19:33 |
| kmalloc | cfriesen: yeah, I had to change my nic to hide ;) | 19:34 |
| *** AlexeyAbashkin has joined #openstack-keystone | 19:40 | |
| *** aojea has joined #openstack-keystone | 19:43 | |
| *** AlexeyAbashkin has quit IRC | 19:44 | |
| *** MasterOfBugs has joined #openstack-keystone | 19:47 | |
| *** pramodrj07 has joined #openstack-keystone | 19:47 | |
| *** aojea has quit IRC | 19:48 | |
| *** catintheroof has joined #openstack-keystone | 19:49 | |
| *** panbalag has joined #openstack-keystone | 19:57 | |
| *** panbalag has left #openstack-keystone | 20:00 | |
| kmalloc | lbragstad cfriesen: commented | 20:06 |
| kmalloc | basically i want some metrics showing the benefit(S) of this filtering being server side. | 20:06 |
| kmalloc | and be clear this is *not* to provide added security | 20:09 |
| lbragstad | yeah - didn't mean to imply security in my comment | 20:09 |
| kmalloc | right, but it highlightsd that people might think it does | 20:10 |
| lbragstad | though - in hindsight, it probably came across that way | 20:10 |
| kmalloc | we need to be very explicit it provides no added security | 20:10 |
| lbragstad | updated my comment | 20:12 |
| *** markvoelker_ has joined #openstack-keystone | 20:15 | |
| *** chlong has quit IRC | 20:16 | |
| mike92 | Hi. I was wondering if I could ask a question about endpoints in keystone? | 20:17 |
| openstackgerrit | Merged openstack/python-keystoneclient master: Use generic user for both zuul v2 and v3 https://review.openstack.org/512509 | 20:17 |
| *** markvoelker has quit IRC | 20:18 | |
| *** AlexeyAbashkin has joined #openstack-keystone | 20:22 | |
| lbragstad | mike92: go for it | 20:24 |
| mike92 | Thanks. In my deployment, the endpoint url has a dynamic hostname in it. Like https://dyndns.com... At some points my keystone config processing, the dns may not be running. In these cases, I want to specify a uri with an explicit ip to the server I know is running the keystone server, like http://127.0.0.1. | 20:24 |
| mike92 | Previously, I did this with OS_URL and admin_token. I could use OS_URL and it didn't matter what the endpoint in keystone was. Is there something similar I can do in Ocata or Pike? | 20:25 |
| mike92 | This would be for the openstack command. Previously I set OS_URL and openstack worked fine. Now I have problems because openstack is trying to contact the dyndns address and it's not connecting | 20:26 |
| *** AlexeyAbashkin has quit IRC | 20:27 | |
| lbragstad | mike92: have you tried using OS_AUTH_URL? | 20:34 |
| lbragstad | https://docs.openstack.org/python-openstackclient/latest/cli/authentication.html | 20:34 |
| *** catintheroof has quit IRC | 20:35 | |
| *** catintheroof has joined #openstack-keystone | 20:36 | |
| *** catintheroof has quit IRC | 20:36 | |
| *** raildo has quit IRC | 20:37 | |
| mike92 | I do have OS_URL_SET, but openstack tries to use the endpoint in keystone during the communication | 20:38 |
| mike92 | # echo $OS_AUTH_URL | 20:38 |
| mike92 | http://127.0.0.1:35357/v3 | 20:38 |
| mike92 | [root@localhost httpd]# openstack --debug endpoint list | 20:38 |
| mike92 | ... | 20:38 |
| mike92 | "POST /v3/auth/tokens HTTP/1.1" 201 1044 | 20:38 |
| mike92 | {"token": {"is_domain": false, "methods": ["password"], "roles": [{"id": "03de69ec878843caa16d57c934ede47d", "name": "admin"}], "expires_at": "2017-11-16T20:36:50.000000Z", "project": {"domain": {"id": "default", "name": "Default"}, "id": "2a763d4465b346e4997eb305d3fc87c1", "name": "admin"}, "catalog": [{"endpoints": [{"url": "http://dyndns:35357/", "interface": "admin", "region": null, "region_id": null, "id": "e09499e3203e40198fa42f4f444f599d"} | 20:38 |
| mike92 | , {"url": "http://dyndns:35357/", "interface": "internal", "region": null, "region_id": null, "id": "dfbd1a6519ab4c658c1d913d2b025379"}, {"url": "http://dyndns:5000/", "interface": "public", "region": null, "region_id": null, "id": "c99f89d7f0a84364868bb12f4570570a"}], "type": "identity", "id": "295eaf6ea94547b4ae770f0bee7c4504", "name": "keystone"}], "user": {"domain": {"id": "default", "name": "Default"}, "password_expires_at": null, "name": "a | 20:39 |
| mike92 | dmin", "id": "395f1f23859245fe84dd1b056935de87"}, "audit_ids": ["V7RQCtHYRpuJj_y8RXDHBA"], "issued_at": "2017-10-17T20:36:50.000000Z"}} | 20:39 |
| mike92 | REQ: curl -g -i -X GET http://dyndns:35357/ -H "Accept: application/json" -H "User-Agent: osc-lib/1.7.0 keystoneauth1/3.1.0 python-requests/2.11.1 CPython/2.7.5" | 20:39 |
| mike92 | Starting new HTTP connection (1): dyndns | 20:39 |
| mike92 | It tries to contact the dyndns address | 20:39 |
| mike92 | sorry. I meant I have OS_AUTH_URL set | 20:39 |
| *** aojea has joined #openstack-keystone | 20:44 | |
| *** dave-mccowan has quit IRC | 20:48 | |
| *** aojea has quit IRC | 20:49 | |
| lbragstad | oh - that seems openstack-client specific | 20:51 |
| lbragstad | ping dtroyer ^ | 20:52 |
| *** sapd__ has joined #openstack-keystone | 20:53 | |
| *** sapd_ has quit IRC | 20:53 | |
| *** david-lyle has quit IRC | 20:57 | |
| dtroyer | OS_URL should only be used if OS_TOKEN is also set, in which case the service catalog is bypassed and OS_URL is used directly to contact the service being used by the command. This breaks down for any command that talks to multiple services (such as looking up names/ID on another API). | 20:59 |
| dtroyer | Otherwise we use the Service Catalog to locate the services. | 21:00 |
| dtroyer | You may have an option to configure different interfaces (public/admin/internal) and select between thise in the service catalog, say setting internal to the IP address then forcing that when you need it | 21:01 |
| openstackgerrit | Merged openstack/keystone master: Add JSON schema validation for project tags https://review.openstack.org/484483 | 21:01 |
| mike92 | that's an interesting idea. I'll see if I can get something like to work in my deployment. | 21:03 |
| gagehugo | cmurphy it's been awhile since I've looked at that OSC patch | 21:11 |
| *** david-lyle has joined #openstack-keystone | 21:13 | |
| cmurphy | :) | 21:13 |
| gagehugo | it definitely needs some fixing up | 21:14 |
| mike92 | Thanks for the help! | 21:15 |
| openstackgerrit | Gage Hugo proposed openstack/keystone master: Add project tags api-ref documentation and reno https://review.openstack.org/472396 | 21:16 |
| *** edmondsw has quit IRC | 21:16 | |
| cmurphy | gagehugo: i didn't look at much besides the docs, i was just using it to start validating the server code | 21:16 |
| gagehugo | cmurphy I think it kinda works if I remember right | 21:16 |
| gagehugo | lbragstad https://review.openstack.org/#/c/506751/ | 21:18 |
| *** chlong has joined #openstack-keystone | 21:18 | |
| *** edmondsw_ has joined #openstack-keystone | 21:18 | |
| lbragstad | hmm - those look like legit failures | 21:19 |
| gagehugo | yeah | 21:19 |
| gagehugo | idk why jenkins/zuul never ran after you last pushed | 21:20 |
| gagehugo | that might have been the previous zuul3 attempt | 21:20 |
| *** edmondsw_ has quit IRC | 21:22 | |
| *** thorst has quit IRC | 21:25 | |
| *** thorst has joined #openstack-keystone | 21:26 | |
| *** thorst has quit IRC | 21:30 | |
| *** josecastroleon has quit IRC | 21:34 | |
| *** josecastroleon has joined #openstack-keystone | 21:37 | |
| openstackgerrit | Lance Bragstad proposed openstack/keystone master: Deleting an identity provider doesn't invalidate tokens https://review.openstack.org/512872 | 21:43 |
| lbragstad | partial fix for a bug ^ | 21:43 |
| *** aojea has joined #openstack-keystone | 21:45 | |
| *** aojea has quit IRC | 21:49 | |
| *** erlon has quit IRC | 21:50 | |
| *** thorst has joined #openstack-keystone | 21:50 | |
| *** edmondsw has joined #openstack-keystone | 21:51 | |
| *** thorst has quit IRC | 21:54 | |
| *** edmondsw has quit IRC | 21:55 | |
| *** Suramya_ has quit IRC | 21:57 | |
| *** Suramya has quit IRC | 21:57 | |
| lbragstad | #endmeeting | 22:00 |
| *** openstack changes topic to "Queens release schedule: https://releases.openstack.org/queens/schedule.html | Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting | Bugs that need triaging: http://bit.ly/2iJuN1h | Trello: https://trello.com/b/5F0h9Hoe/keystone" | 22:00 | |
| openstack | Meeting ended Tue Oct 17 22:00:06 2017 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 22:00 |
| openstack | Minutes: http://eavesdrop.openstack.org/meetings/keystone_office_hours/2017/keystone_office_hours.2017-10-17-19.04.html | 22:00 |
| openstack | Minutes (text): http://eavesdrop.openstack.org/meetings/keystone_office_hours/2017/keystone_office_hours.2017-10-17-19.04.txt | 22:00 |
| openstack | Log: http://eavesdrop.openstack.org/meetings/keystone_office_hours/2017/keystone_office_hours.2017-10-17-19.04.log.html | 22:00 |
| cmurphy | o7 | 22:00 |
| lbragstad | productive office hours - thanks all! | 22:02 |
| *** mike92 has quit IRC | 22:09 | |
| *** wes_dillingham has joined #openstack-keystone | 22:28 | |
| *** dave-mccowan has joined #openstack-keystone | 22:36 | |
| *** lbragstad has quit IRC | 22:36 | |
| *** catintheroof has joined #openstack-keystone | 22:43 | |
| openstackgerrit | Gage Hugo proposed openstack/keystone master: Add project tags api-ref documentation and reno https://review.openstack.org/472396 | 22:59 |
| *** aadams has quit IRC | 23:04 | |
| *** catintheroof has quit IRC | 23:17 | |
| *** jmlowe has joined #openstack-keystone | 23:47 | |
| openstackgerrit | Merged openstack/keystone master: Add policy for project tags https://review.openstack.org/486757 | 23:57 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!