Monday, 2018-02-19

« Sunday, 2018-02-18 Index Tuesday, 2018-02-20 »
*** lbragstad has joined #openstack-keystone00:20
*** ChanServ sets mode: +o lbragstad00:20
*** lbragstad has quit IRC00:27
*** itlinux has quit IRC02:02
*** links has joined #openstack-keystone02:11
*** lbragstad has joined #openstack-keystone02:15
*** ChanServ sets mode: +o lbragstad02:15
*** r-daneel has joined #openstack-keystone02:24
*** r-daneel has quit IRC02:32
*** lbragstad has quit IRC03:29
*** r-daneel has joined #openstack-keystone03:40
*** rmcall has quit IRC04:02
*** rmcall has joined #openstack-keystone04:12
*** dave-mccowan has quit IRC04:53
*** threestrands has quit IRC06:10
*** threestrands has joined #openstack-keystone06:23
*** threestrands has quit IRC07:00
*** rcernin has quit IRC07:11
*** Justas__ has quit IRC07:26
*** hoonetorg has quit IRC07:30
*** hoonetorg has joined #openstack-keystone07:46
*** pcaruana has joined #openstack-keystone07:47
*** links has quit IRC07:55
*** AlexeyAbashkin has joined #openstack-keystone07:56
*** links has joined #openstack-keystone08:07
*** tesseract has joined #openstack-keystone08:15
*** rmcall has quit IRC08:31
*** r-daneel has quit IRC09:28
*** links has quit IRC09:32
*** links has joined #openstack-keystone09:45
*** r-daneel has joined #openstack-keystone09:46
openstackgerritMerged openstack/keystone master: Imported Translations from Zanata  https://review.openstack.org/54565609:59
*** r-daneel has quit IRC10:06
*** kmalloc has joined #openstack-keystone10:14
*** r-daneel has joined #openstack-keystone10:22
*** AlexeyAbashkin has quit IRC11:07
*** goutham has joined #openstack-keystone11:17
*** nixi_girl has joined #openstack-keystone11:18
*** AlexeyAbashkin has joined #openstack-keystone11:32
*** nixi_girl has quit IRC11:43
*** nixi_girl has joined #openstack-keystone11:54
*** nixi_girl has left #openstack-keystone11:54
*** masber has joined #openstack-keystone11:58
*** raildo has joined #openstack-keystone12:04
*** dave-mccowan has joined #openstack-keystone12:16
*** belmoreira has joined #openstack-keystone12:16
*** dmellado has quit IRC12:26
*** nixi_girl has joined #openstack-keystone12:31
*** links has quit IRC12:37
*** dmellado has joined #openstack-keystone13:07
*** edmondsw has joined #openstack-keystone13:12
*** narcis has joined #openstack-keystone13:14
nixi_girlhi im using  https://docs.openstack.org/keystone/latest/advanced-topics/federation/shibboleth.html for setup shiboleth,and at the third step ,it says i should (Make sure the keystone.conf vhost file contains a <Location> directive for the Shibboleth module and a <Location> directive for each identity provider)13:15
nixi_girlbut in shib.conf and keystone vhost conf i dont have such a location for identity provider! should i add it myself?13:16
*** mchlumsky has joined #openstack-keystone13:17
cmurphynixi_girl: yes, you should add it to the keystone one (leave the shib one alone)13:19
nixi_girlcmurphy : thanks cmurphy, and in shib.conf  i have the location for shib but the content is diffrent from content in this link13:23
nixi_girlcontent of my shib location is auth type none require all granted13:24
nixi_girlshould i edit this to be like  the content in link?13:25
*** Supun has joined #openstack-keystone13:26
cmurphynixi_girl: did you create shib.conf yourself? if not then it comes from the shibboleth package and shouldn't be edited at all13:28
nixi_girlno i didnt created it myself ,and its comed from the shibboleth package ,ok i dont edited so,thanks again13:33
*** narcis has quit IRC13:33
*** nixi_girl has quit IRC13:33
*** mchlumsky has quit IRC13:35
*** mchlumsky has joined #openstack-keystone13:38
*** dmellado has quit IRC13:38
*** belmorei_ has joined #openstack-keystone13:46
*** belmoreira has quit IRC13:48
*** masuberu has joined #openstack-keystone13:54
*** masber has quit IRC13:58
*** goutham has quit IRC14:11
*** belmorei_ has quit IRC14:21
*** belmoreira has joined #openstack-keystone14:21
*** lbragstad has joined #openstack-keystone14:23
*** ChanServ sets mode: +o lbragstad14:23
*** jistr is now known as jistr|mtg14:31
*** links has joined #openstack-keystone14:41
*** dmellado has joined #openstack-keystone14:44
*** jroll has quit IRC14:47
*** jroll has joined #openstack-keystone14:48
gagehugoo/14:49
*** links has quit IRC14:49
*** lbragstad has quit IRC14:53
*** lbragstad has joined #openstack-keystone14:55
*** ChanServ sets mode: +o lbragstad14:55
lbragstado/14:55
*** links has joined #openstack-keystone15:02
*** dmellado has quit IRC15:02
*** jistr|mtg is now known as jistr15:02
*** Supun has quit IRC15:09
-openstackstatus- NOTICE: Zuul has been restarted to pick up latest memory fixes. Queues were saved however patches uploaded after 14:40UTC may have been missed. Please recheck if needed.15:15
*** tonytan4ever has joined #openstack-keystone15:37
*** tonytan4ever has quit IRC15:37
*** Supun has joined #openstack-keystone15:38
*** pcaruana has quit IRC16:07
*** idlemind has joined #openstack-keystone16:09
*** masuberu has quit IRC16:21
*** r-daneel has quit IRC16:23
*** slunkad_ has quit IRC16:31
mnaserquestion: does the keystone api have pagination or not?  i found list_limit but that seems to be hard limit16:43
mnaserthe reason behind the question: logging into a large deployment of horizon with a big # of projects takes forever, because it requests 1000+ projects16:43
*** AlexeyAbashkin has quit IRC16:50
*** panbalag has joined #openstack-keystone17:00
*** belmoreira has quit IRC17:04
*** links has quit IRC17:09
*** dmellado has joined #openstack-keystone17:10
openstackgerritMerged openstack/keystone master: Simplify token persistence callbacks  https://review.openstack.org/54461617:16
openstackgerritMerged openstack/keystone master: Simplify federation and oauth token callbacks  https://review.openstack.org/54473717:16
*** itlinux has joined #openstack-keystone17:21
lbragstadmnaser keystone doesn't implement paging because in certain situations, keystone can't guarantee the response ordering depending on the backend being used17:24
lbragstadlisting projects from ldap for example17:25
lbragstadwe're unable to page the response because ldap might not give us the same ordering of projects when you ask for the second page =/17:25
lbragstadwe did implement caching of a user's role assignment though17:28
lbragstadassignments*17:29
lbragstadmnaser this might be relevant to you - https://bugs.launchpad.net/keystone/+bug/170085217:30
openstackLaunchpad bug 1700852 in OpenStack Identity (keystone) ocata "Slow listing projects for user with many role assignments" [Medium,Confirmed]17:30
lbragstadhttps://review.openstack.org/#/c/487143/17:30
lbragstadcmurphy  i think i found an issue with token validation + application credentials18:02
cmurphylbragstad: uh oh18:05
kmallocugh18:08
lbragstadcmurphy https://bugs.launchpad.net/keystone/+bug/175041518:10
openstackLaunchpad bug 1750415 in OpenStack Identity (keystone) "validation of app cred tokens is dependent on CONF.token.cache_on_issue" [Critical,Triaged]18:10
lbragstadwe need to make sure the application credential is rebuilt in the validation process18:11
kmallocyay cache issues18:13
kmalloc=/18:13
lbragstadwe stuff the token reference into the cache by default18:13
*** AlexeyAbashkin has joined #openstack-keystone18:15
cmurphyhow is this different from any other token?18:16
*** openstackgerrit has quit IRC18:18
lbragstadi think the cached version is holding on the restriction informaiton18:18
*** openstackgerrit has joined #openstack-keystone18:19
openstackgerritStefan Nica proposed openstack/keystonemiddleware master: Add option to disable using oslo_message notifier  https://review.openstack.org/54594318:19
lbragstadthe app cred restriction information is populated during authentication and cached18:19
lbragstadwhich is dependent on the specific application credential being used during authentication time being present (because we have to check if it is unrestricted or not)18:19
*** AlexeyAbashkin has quit IRC18:20
lbragstadi don't think we incorporated that into the validation process18:20
lbragstadwe definitely repopulate the methods used during validation, but i don't think we actually grab any information about the specific application credential in order to determine if it is restricted at all18:21
*** oikiki has joined #openstack-keystone18:21
kmallocthat makes sense.18:22
cmurphyhttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/providers/common.py#n49118:22
cmurphywe look it up there18:22
kmallocand shouldn't be hard to fix if that is the case.18:22
cmurphyif there's no cache that should go to db18:22
kmalloclbragstad: the paste doesn't give the keystone log18:22
kmallocjust the test log18:22
kmallocwhich doesn't help us a ton18:23
lbragstadworking on a patch quick18:23
kmallock18:23
openstackgerritLance Bragstad proposed openstack/keystone master: Expose bug in application credential token validation  https://review.openstack.org/54594518:23
lbragstad^18:23
kmalloclbragstad: i still want to see the actual keystone bits not just a paste of the 500 error18:24
kmalloci don't accept the bug as is - there is more info needed to make sure we're actually solving and testing for the error18:25
lbragstadyep - working on it18:25
lbragstadlet me grab a better log18:25
kmallocalso, the @wip decorator isn't that useful in these cases, since we don't know why it's failing. blindly checking if it fails is no better, we should be looking for a specific error18:25
kmallocnot jsut "an error"18:25
kmalloci would like to see us fix @wip.18:26
openstackgerritLance Bragstad proposed openstack/keystone master: Expose bug in application credential token validation  https://review.openstack.org/54594518:26
kmalloci disagree with "any error is fine" vs "look for error X, if it is a new error, it shouldn't be caught under the same bug"18:26
lbragstadlog from the test run http://paste.openstack.org/show/677699/18:28
lbragstadwithout wip - so that it fails18:28
kmallocthis looks like we might be mis-populating the token data18:28
kmallocin general18:28
*** jrist is now known as jrist-afk18:28
*** jrist-afk is now known as jrist18:28
*** tesseract has quit IRC18:30
kmalloclbragstad: so, this looks like a case where the app_cred_id isn't being passed down into the get_token_data18:30
*** oikiki has quit IRC18:31
lbragstadyeah - or we're not to repopulate the application credentials for a user18:31
kmallocso it's def in the methods18:32
lbragstadif 'application_credential' is one of the auth methods18:32
kmallocjust not populating18:32
kmallocyeah18:32
*** oikiki has joined #openstack-keystone18:32
lbragstadok - here is the diff i have http://paste.openstack.org/show/677705/18:33
lbragstadand here are the token references18:33
lbragstadhttp://paste.openstack.org/show/677708/18:33
lbragstadone after authenticating18:34
lbragstadand the other is from validating that same token when trying to delete a trust18:34
lbragstad(which is using a reconstructed token reference)18:34
kmallocuhm.18:35
kmallocwhere do we store the app_cred_id in the token payload?18:35
kmalloci think that is the issue here.18:35
kmallocso reconstructing the token.. there is no app_Cred18:36
kmalloclooking in https://github.com/openstack/keystone/blob/master/keystone/token/token_formatters.py18:37
lbragstadcommented - http://paste.openstack.org/show/677712/18:37
lbragstadand yes18:37
lbragstadthat's the issue18:37
kmallocfun times18:37
kmallocand we're going to need to backport the fix to queens.18:37
lbragstadyeah18:37
lbragstadwe can either ask keystone for all application credentials for a user and project if 'application_credential' is in the token methods,18:38
lbragstador we can put the app_cred_id in the payload18:38
lbragstadthe second will work for sure18:38
*** r-daneel has joined #openstack-keystone18:39
kmallocmake more formatters18:40
kmallocdon't just ask for all app creds it may not be appropriate18:40
kmallocit also means you might get the wrong cred18:40
kmallocyou can have multiple app creds, which one are you supposed to populate from if you as for all?18:41
kmallocthis is likely going to need to have multiple formatters created for the various scope types.18:41
kmalloclbragstad: added the bug target to Queens as well18:42
kmallocand commented on the bug with updated information18:42
lbragstadright now app creds require project scope, i think18:44
kmallocthats fine18:45
kmallocit means a new project scope subclass token version18:45
kmalloceasy enough to do.18:45
*** mvk_ has quit IRC18:48
cmurphylbragstad: have you reproduced this on devstack? because i haven't been able to so far18:50
lbragstadcmurphy i haven't with devstack - just with tests locally18:50
lbragstadi discovered it refactoring the token provider API18:50
kmallocthe issue should occur with any token validation if the token has fallen out of cache18:51
kmallocif you check app_cred info18:51
kmallocsince we don't store any information about the app_cred in the token payload18:51
kmallocbut the pre-seeded cache does have that information18:51
kmallocunless i'm totally mis-reading the fernet formatter somehow18:52
kmallocvalidation of an app_cred token*18:52
kmallocnot "any token"18:52
lbragstadwhat i've found is that the application_credential_restricted property isn't present when validating an application credential token18:53
kmallocexpected from what i see in the code18:54
lbragstadi have devstack on another box, let me see if i can use that to recreate18:54
*** edmondsw has quit IRC18:55
*** edmondsw has joined #openstack-keystone18:56
mnaserlbragstad: looks like the issue might live a bit more in horizon land, listing all projects takes 0.583918 via CLI18:57
lbragstadmnaser oh - nice18:57
lbragstadwell - probably not nice, but...18:57
mnaserlbragstad: ~1000 projects, so i guess building a giant table without pagination can result this18:57
*** edmondsw has quit IRC19:00
*** harlowja has joined #openstack-keystone19:03
cmurphylbragstad: okay reproduced19:05
cmurphyyou're right it's the restricted key19:06
cmurphylbragstad: are you working on a patch?19:08
lbragstadcmurphy i was just recreating with a devstack setup19:08
lbragstadand recording it19:08
lbragstadbut it looks like you got it19:08
lbragstadi don't have anything rolling for a fix locally, yet19:09
cmurphyokay i can take it19:11
lbragstadcmurphy did you just disable caching in devstack?19:13
cmurphylbragstad: i disabled cache_on_issue like your bug report said19:14
lbragstadok19:14
*** Supun has quit IRC19:42
*** Supun has joined #openstack-keystone19:43
*** mvk_ has joined #openstack-keystone19:59
*** Supun has quit IRC20:07
*** dave-mccowan has quit IRC20:14
openstackgerritColleen Murphy proposed openstack/keystone master: Populate application credential data in token  https://review.openstack.org/54597120:25
cmurphylbragstad: kmalloc ^20:25
lbragstadnice20:25
cmurphyprobably needs some tests and a release note but should fix the bug20:25
lbragstadi have a test locally20:25
lbragstadwrapping up the wip decorator bit and writing a commit message for it20:25
cmurphyokay it's already based on your trusts test so if you update it i can rebase20:26
*** aojea_ has joined #openstack-keystone20:30
*** edmondsw has joined #openstack-keystone20:30
*** aojea_ has quit IRC20:30
lbragstadthat's perfect20:31
openstackgerritLance Bragstad proposed openstack/keystone master: Expose bug in application credential token validation  https://review.openstack.org/54594520:32
lbragstadnew test that gives a little more context around the failure.20:33
openstackgerritLance Bragstad proposed openstack/keystone master: Expose bug in application credential token validation  https://review.openstack.org/54594520:34
*** itlinux has quit IRC20:36
openstackgerritColleen Murphy proposed openstack/keystone master: Populate application credential data in token  https://review.openstack.org/54597120:58
*** mvk_ has quit IRC21:01
lbragstadcmurphy so we're moving the application_credential_restricted property?21:10
cmurphylbragstad: i'd like to, is that okay?21:11
lbragstadthat's what i'm wondering, too21:12
cmurphyit is technically api breaking21:12
lbragstadright21:13
cmurphybut we haven't actually released yet21:13
lbragstadright...21:13
cmurphybut if the token has app cred data then it stops making sense for it to be a property on its own21:13
lbragstadrock <- -> hard place21:13
cmurphylol21:14
lbragstadright - providing a little information in an application credential reference seems more useful21:14
lbragstadversus a one-off property of the token?21:14
cmurphyright21:15
cmurphy¯\_(ツ)_/¯21:17
lbragstadwell - it's the same approach we take for other things in the token (e.g. the domain, project, etc..)21:18
lbragstadcc kmalloc ?21:18
openstackgerritLance Bragstad proposed openstack/keystone master: Expose bug in application credential token validation  https://review.openstack.org/54594521:19
lbragstadcmurphy ok - finally got my stuff together, that patch should be right ^21:19
kmallocuhm21:19
kmallocthis one is hard re breaking change21:19
kmallocif we can land it before release of Q ... i think we're ok21:19
kmallocbut we'd need to land the backport ASPA21:19
kmallocASAP21:19
kmalloci also agree providing the reference is more useful21:20
cmurphysweet21:20
kmalloclong term21:20
*** AlexeyAbashkin has joined #openstack-keystone21:26
*** clayton has quit IRC21:28
*** AlexeyAbashkin has quit IRC21:31
openstackgerritColleen Murphy proposed openstack/keystone master: Populate application credential data in token  https://review.openstack.org/54597121:33
cmurphykmalloc: lbragstad ^ needs a rereview21:34
cmurphyoh wait release note21:34
kmalloccmurphy: you can add the relnot as a followup if you want21:35
kmalloccmurphy: consider my +2 sticky21:35
kmallocas long as zuul says "ok"21:36
kmalloclbragstad: ^21:36
*** rcernin has joined #openstack-keystone21:36
cmurphywe have to backport so i'd rather have fewer commits21:36
*** threestrands has joined #openstack-keystone21:37
openstackgerritColleen Murphy proposed openstack/keystone master: Populate application credential data in token  https://review.openstack.org/54597121:39
lbragstadcmurphy in that case, feel free to roll my patch into yours if you want21:40
cmurphylbragstad: okie21:40
openstackgerritColleen Murphy proposed openstack/keystone master: Populate application credential data in token  https://review.openstack.org/54597121:41
lbragstadcmurphy looks good, just one question inline. passes for me locally21:50
cmurphylbragstad: right now it's always going to be project scoped, it can't be unscoped or system scoped, so project_id should always be there when the token is being assembled21:55
lbragstadok - i figured as much21:55
lbragstadwe can cross that bridge when we open up that functionality21:55
cmurphythat's what i figured21:55
*** raildo has quit IRC22:04
openstackgerritLance Bragstad proposed openstack/keystone master: WIP: rewrite keystone  https://review.openstack.org/54545022:07
*** openstackgerrit has quit IRC22:18
*** mvk_ has joined #openstack-keystone22:22
*** masber has joined #openstack-keystone22:23
*** dave-mccowan has joined #openstack-keystone22:38
*** dave-mccowan has quit IRC23:05
*** AlexeyAbashkin has joined #openstack-keystone23:06
*** AlexeyAbashkin has quit IRC23:10
*** masber has quit IRC23:34
*** oikiki has quit IRC23:36
*** r-daneel has quit IRC23:36
*** masber has joined #openstack-keystone23:37
*** masber has quit IRC23:57
« Sunday, 2018-02-18 Index Tuesday, 2018-02-20 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!