Friday, 2018-03-30

« Thursday, 2018-03-29 Index Saturday, 2018-03-31 »
*** gyee has quit IRC00:04
*** robcresswell_ has joined #openstack-keystone00:04
*** jroll has joined #openstack-keystone00:05
*** jroll has quit IRC00:06
*** timothyb89_ has joined #openstack-keystone00:06
*** jroll has joined #openstack-keystone00:07
*** breton_ has joined #openstack-keystone00:07
*** obre has joined #openstack-keystone00:07
*** edmondsw has joined #openstack-keystone00:09
*** chris_hultin|AWA has joined #openstack-keystone00:10
*** dtroyer_zz has joined #openstack-keystone00:10
*** dims has joined #openstack-keystone00:10
*** mgagne_ has joined #openstack-keystone00:10
*** chrome0_ has joined #openstack-keystone00:10
*** dims_ has quit IRC00:12
*** robcresswell has quit IRC00:12
*** obre_ has quit IRC00:12
*** chris_hultin has quit IRC00:12
*** mgagne has quit IRC00:12
*** timothyb89 has quit IRC00:12
*** dtroyer has quit IRC00:12
*** breton has quit IRC00:12
*** chrome0 has quit IRC00:12
*** jlvillal has quit IRC00:12
*** Guest88902 has quit IRC00:12
*** zhongjun_ has quit IRC00:12
*** Anticimex has quit IRC00:12
*** d34dh0r53 has quit IRC00:12
*** wxy has quit IRC00:12
*** eschwartz has quit IRC00:12
*** knikolla has quit IRC00:12
*** gagehugo has quit IRC00:12
*** bhagyashris has quit IRC00:12
*** timss has quit IRC00:12
*** rybridges has quit IRC00:12
*** slunkad has quit IRC00:12
*** bigjools has quit IRC00:12
*** raginbajin has quit IRC00:12
*** david-lyle has quit IRC00:12
*** deepak_ has quit IRC00:12
*** eEbx has quit IRC00:12
*** EmilienM has quit IRC00:12
*** SamYaple has quit IRC00:12
*** hemna has quit IRC00:12
*** adriant has quit IRC00:12
*** ChanServ has quit IRC00:12
*** chris_hultin|AWA is now known as chris_hultin00:12
*** robcresswell_ is now known as robcresswell00:12
*** odyssey4me has quit IRC00:12
*** odyssey4me has joined #openstack-keystone00:12
*** edmondsw has quit IRC00:13
*** david-lyle has joined #openstack-keystone00:13
*** deepak_ has joined #openstack-keystone00:13
*** gagehugo has joined #openstack-keystone00:13
*** eEbx has joined #openstack-keystone00:13
*** EmilienM has joined #openstack-keystone00:13
*** bhagyashris has joined #openstack-keystone00:13
*** timss has joined #openstack-keystone00:13
*** rybridges has joined #openstack-keystone00:13
*** SamYaple has joined #openstack-keystone00:13
*** ChanServ has joined #openstack-keystone00:13
*** raginbajin has joined #openstack-keystone00:13
*** adriant has joined #openstack-keystone00:13
*** hemna has joined #openstack-keystone00:13
*** bigjools has joined #openstack-keystone00:13
*** slunkad has joined #openstack-keystone00:13
*** barjavel.freenode.net sets mode: +o ChanServ00:13
*** robcresswell is now known as Guest4609800:16
*** jroll is now known as Guest4396000:16
*** marius1 has quit IRC00:17
*** jmlowe_ has quit IRC00:18
*** zhurong has joined #openstack-keystone00:39
*** Guest43960 has quit IRC00:40
*** jmlowe has joined #openstack-keystone00:48
*** jroll has joined #openstack-keystone01:01
*** cheran has quit IRC01:09
*** dangtrinhnt has joined #openstack-keystone01:19
*** harlowja has quit IRC01:21
*** dangtrinhnt has quit IRC01:21
*** jlvillal has joined #openstack-keystone01:28
*** Guest88902 has joined #openstack-keystone01:28
*** zhongjun_ has joined #openstack-keystone01:28
*** Anticimex has joined #openstack-keystone01:28
*** d34dh0r53 has joined #openstack-keystone01:28
*** wxy has joined #openstack-keystone01:28
*** eschwartz has joined #openstack-keystone01:28
*** knikolla has joined #openstack-keystone01:28
*** itlinux has joined #openstack-keystone01:30
*** timburke has quit IRC01:30
*** timburke has joined #openstack-keystone01:31
*** felipemonteiro has joined #openstack-keystone01:50
*** gongysh has joined #openstack-keystone01:50
*** itlinux has quit IRC01:54
*** zhurong has quit IRC01:55
*** edmondsw has joined #openstack-keystone01:57
*** edmondsw has quit IRC02:01
*** gongysh has quit IRC02:05
*** gongysh has joined #openstack-keystone02:06
*** AlexeyAbashkin has joined #openstack-keystone02:07
*** itlinux has joined #openstack-keystone02:09
*** AlexeyAbashkin has quit IRC02:11
*** felipemonteiro has quit IRC02:16
*** itlinux has quit IRC02:16
*** itlinux has joined #openstack-keystone02:29
*** itlinux has quit IRC02:30
*** daidv has quit IRC02:34
*** daidv has joined #openstack-keystone02:34
*** panbalag has joined #openstack-keystone02:43
*** david-lyle has quit IRC02:53
*** panbalag has left #openstack-keystone03:02
*** AlexeyAbashkin has joined #openstack-keystone03:08
*** david-lyle has joined #openstack-keystone03:08
*** AlexeyAbashkin has quit IRC03:12
*** gongysh has quit IRC03:21
*** dave-mccowan has quit IRC03:23
openstackgerritwangxiyuan proposed openstack/keystone master: [WIP]Add hierarchical limit  https://review.openstack.org/55769603:33
*** edmondsw has joined #openstack-keystone03:45
*** edmondsw has quit IRC03:50
*** harlowja has joined #openstack-keystone03:51
*** daidv has quit IRC03:51
*** daidv has joined #openstack-keystone03:51
*** germs has quit IRC04:03
*** sapd__ has quit IRC04:03
*** germs has joined #openstack-keystone04:04
*** germs has quit IRC04:04
*** germs has joined #openstack-keystone04:04
*** sapd__ has joined #openstack-keystone04:04
*** sapd_ has joined #openstack-keystone04:11
*** sapd__ has quit IRC04:11
*** namnh has joined #openstack-keystone04:13
*** germs has quit IRC04:30
*** ykarel|away has joined #openstack-keystone04:48
*** markvoelker has quit IRC04:52
*** daidv has quit IRC04:55
*** harlowja has quit IRC05:21
*** zzzeek has quit IRC05:39
*** zzzeek has joined #openstack-keystone05:50
*** zzzeek has quit IRC05:51
*** zzzeek has joined #openstack-keystone05:52
*** markvoelker has joined #openstack-keystone05:53
openstackgerritmelissaml proposed openstack/pycadf master: Update links in README  https://review.openstack.org/55169506:23
*** germs has joined #openstack-keystone06:30
*** germs has quit IRC06:30
*** germs has joined #openstack-keystone06:30
*** germs has quit IRC06:35
*** ykarel|away has quit IRC07:05
*** ykarel|away has joined #openstack-keystone07:05
*** voelzmo has joined #openstack-keystone07:11
*** voelzmo has quit IRC07:16
*** tesseract has joined #openstack-keystone07:17
*** edmondsw has joined #openstack-keystone07:21
*** edmondsw has quit IRC07:25
*** zhurong has joined #openstack-keystone07:28
*** namnh_ has joined #openstack-keystone07:32
*** namnh has quit IRC07:35
*** mvk has quit IRC07:36
*** namnh has joined #openstack-keystone07:36
*** namnh_ has quit IRC07:37
*** oikiki has joined #openstack-keystone07:39
*** mvk has joined #openstack-keystone07:41
*** ykarel|away has quit IRC07:49
*** ykarel|away has joined #openstack-keystone07:50
*** AlexeyAbashkin has joined #openstack-keystone07:59
*** oikiki has quit IRC08:13
*** mvk has quit IRC08:13
*** namnh has quit IRC08:14
*** namnh has joined #openstack-keystone08:15
*** mvk has joined #openstack-keystone08:17
*** ykarel_ has joined #openstack-keystone08:20
*** ykarel|away has quit IRC08:21
*** namnh_ has joined #openstack-keystone08:42
*** namnh has quit IRC08:42
*** voelzmo has joined #openstack-keystone08:56
*** voelzmo has quit IRC08:57
*** edmondsw has joined #openstack-keystone09:10
*** edmondsw has quit IRC09:14
*** aojea has joined #openstack-keystone09:17
*** martinus__ has joined #openstack-keystone09:23
*** namnh has joined #openstack-keystone09:27
*** namnh_ has quit IRC09:29
*** marius1 has joined #openstack-keystone09:39
*** ykarel_ has quit IRC09:50
*** aojea has quit IRC09:58
*** voelzmo has joined #openstack-keystone09:58
*** voelzmo has quit IRC10:04
*** voelzmo has joined #openstack-keystone10:04
*** namnh has quit IRC10:10
*** aojea has joined #openstack-keystone10:13
*** zhurong has quit IRC10:30
*** AlexeyAbashkin has quit IRC10:30
*** aojea has quit IRC10:31
*** aojea has joined #openstack-keystone10:33
*** ykarel_ has joined #openstack-keystone10:38
*** AlexeyAbashkin has joined #openstack-keystone10:43
*** aojea has quit IRC10:43
*** sapd_ has quit IRC10:52
*** sapd_ has joined #openstack-keystone10:53
*** ykarel_ is now known as ykarel11:23
*** voelzmo has quit IRC11:26
*** marius1 has quit IRC11:28
*** nicolasbock has joined #openstack-keystone11:31
openstackgerritmelissaml proposed openstack/pycadf master: Update links in README  https://review.openstack.org/55169512:19
*** odyssey4me has quit IRC12:19
*** odyssey4me has joined #openstack-keystone12:19
*** markvoelker has quit IRC12:20
*** markvoelker has joined #openstack-keystone12:20
*** markvoelker has quit IRC12:23
*** markvoelker has joined #openstack-keystone12:25
*** markvoelker has quit IRC12:29
*** gongysh has joined #openstack-keystone12:33
*** gongysh has quit IRC12:33
*** markvoelker has joined #openstack-keystone12:34
*** voelzmo has joined #openstack-keystone12:37
*** gongysh has joined #openstack-keystone12:37
*** edmondsw has joined #openstack-keystone12:41
*** voelzmo has quit IRC12:47
*** dave-mccowan has joined #openstack-keystone13:33
*** david-lyle has quit IRC13:34
*** pcichy has joined #openstack-keystone13:35
*** dave-mccowan has quit IRC13:37
*** jroll has quit IRC13:38
*** jroll has joined #openstack-keystone13:39
*** dave-mccowan has joined #openstack-keystone13:40
*** ykarel has quit IRC13:46
jrollcmurphy: lbragstad: another 'JWT is bad' blog post, though focuses on people using it for sessions (sounds like you're already focusing on minimizing that?): http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/13:59
*** ykarel has joined #openstack-keystone14:07
lbragstadyeah - we haven't worked a whole lot of that into https://review.openstack.org/#/c/541903/ , but the licensing bit is interesting14:08
*** spilla has joined #openstack-keystone14:15
*** ediardo has quit IRC14:24
*** germs has joined #openstack-keystone14:42
*** germs has quit IRC14:42
*** germs has joined #openstack-keystone14:42
*** germs has quit IRC14:42
*** germs has joined #openstack-keystone14:43
*** germs has quit IRC14:43
*** germs has joined #openstack-keystone14:43
*** r-daneel has joined #openstack-keystone14:43
knikollao/14:53
*** tesseract has quit IRC14:57
*** tesseract has joined #openstack-keystone14:57
*** david-lyle has joined #openstack-keystone15:00
*** r-daneel_ has joined #openstack-keystone15:02
*** r-daneel has quit IRC15:04
*** r-daneel_ is now known as r-daneel15:04
*** david-lyle has quit IRC15:24
*** pcichy has quit IRC15:28
*** pcichy has joined #openstack-keystone15:28
*** ayoung has joined #openstack-keystone15:29
*** itlinux has joined #openstack-keystone15:40
*** felipemonteiro__ has joined #openstack-keystone15:43
*** ykarel is now known as ykarel|away15:45
*** gongysh has quit IRC15:47
*** tesseract has quit IRC16:02
*** itlinux has quit IRC16:03
*** david-lyle has joined #openstack-keystone16:05
*** pcichy has quit IRC16:07
*** david-lyle has quit IRC16:08
*** pcichy has joined #openstack-keystone16:21
*** AlexeyAbashkin has quit IRC16:31
* lbragstad goes to shovel snow16:36
lbragstadbiab16:36
openstackgerritayoung proposed openstack/keystone-specs master: Add capabilities to application credentials  https://review.openstack.org/39633116:42
*** itlinux has joined #openstack-keystone17:06
openstackgerritMerged openstack/keystone master: Log warning when using token_flush  https://review.openstack.org/55688917:34
*** r-daneel_ has joined #openstack-keystone17:37
*** r-daneel has quit IRC17:38
*** r-daneel_ is now known as r-daneel17:38
*** dave-mccowan has quit IRC17:39
*** dave-mccowan has joined #openstack-keystone17:40
*** itlinux has quit IRC17:41
*** gyee has joined #openstack-keystone17:49
*** AlexeyAbashkin has joined #openstack-keystone17:49
*** spzala has joined #openstack-keystone17:50
*** AlexeyAbashkin has quit IRC17:53
*** EmilienM has quit IRC17:58
*** AlexeyAbashkin has joined #openstack-keystone18:06
*** r-daneel_ has joined #openstack-keystone18:09
*** r-daneel has quit IRC18:10
*** r-daneel_ is now known as r-daneel18:10
*** AlexeyAbashkin has quit IRC18:10
*** felipemonteiro_ has joined #openstack-keystone18:19
*** fiddletw_ has joined #openstack-keystone18:23
*** felipemonteiro__ has quit IRC18:24
*** itlinux has joined #openstack-keystone18:31
*** ykarel|away has quit IRC18:42
*** felipemonteiro__ has joined #openstack-keystone18:46
fiddletw_assuming this is the right place to ask admin/user questions, I am trying to use the ldap provider for one of my domains.  I've had success but I need to add a user_filter to filter by group. however, my ldap schema doesn't contain a memberOf attribute for my users.  My groups are posixGroups with memberUid entries for each member of the group.  Is there a way to filter users otherwise? My ldap directory has so many users that it times out18:47
fiddletw_ trying to find the user.   In other ldap client implementations I've seen ldap filters for users along the lines of (&(objectClass=organizationalPerson)(uid=%s))  where the ldap client substitutes the user supplied username for the %s. This helps limit the search for the users and makes ldap queries return faster.18:47
*** felipemonteiro_ has quit IRC18:49
lbragstadfiddletw_: that's a good question18:50
*** felipemonteiro__ has quit IRC18:50
*** felipemonteiro__ has joined #openstack-keystone18:51
lbragstadayoung: or kmalloc might have a better idea of how to do that18:51
lbragstadfiddletw_: how many users are in your ldap backend?18:51
lbragstadi'm standing up an environment now18:51
fiddletw_200k18:51
ayoungyeah...there is a way18:51
* ayoung tries to dig it out of long term memory18:51
fiddletw_heh :)18:51
ayoungfiddletw_, you ready for this?  You are going to learn far more than you want to18:52
fiddletw_I've seen the horrors of ldap before. I think I'm ready...(I think)18:52
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/backends/ldap/core.py#n14418:53
ayounglets start there, as it is as a good a place as any18:53
fiddletw_okie doke18:53
ayoungthere is a function that checks if a user is in a group.  How does it know?18:53
ayoungThis is where we switch over to the LDAP specific code, which is a horror18:54
fiddletw_heh, yeah, I've dealt with flask ldap integration before18:54
ayoungthis is a real one off18:54
ayoungWhen termie rewrote keystone out of spite, I grabbed the LDAP code from the pre-write and stuck it back in18:55
ayoungand then we changed the default scheme...18:55
ayoungback to the spelunking18:55
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/backends/ldap/models.py#n5518:55
*** r-daneel has quit IRC18:55
ayoungBut really tyhe group object we care about is a GroupAPI...18:56
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/backends/ldap/core.py#n40018:56
ayoungSo the default way is to do the query18:57
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/backends/ldap/core.py#n42418:57
ayoungnow...if you8 are doing Active Directory, we have a one off18:58
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/backends/ldap/core.py#n40318:58
ayoungI don't think that applies to you18:58
fiddletw_sadly, not, its a custom ldap based off open directory18:58
ayoungso...we are going to execute query = '(%s=%s)' % (self.member_attribute,18:58
ayoung                                 user_dn_esc)18:58
ayoung        return self.get_all_filtered(hints, query)18:58
ayoungcommon used to be in a different tree, when this was shared, but now the only LDAP we have is in Identity, so that is implemented in19:00
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/backends/ldap/common.py#n147219:00
ayoungwell, not quite...we want get_all_filtered....lets see19:01
ayoungkeystone/identity/backends/ldap/core.py:324:    def get_all_filtered(self, hints):19:01
*** spzala has quit IRC19:01
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/backends/ldap/core.py#n32419:02
fiddletw_I'm catching up19:02
ayoungbut that builds a query query = self.filter_query(hints, self.ldap_filter)19:02
ayoungand then filters it post get_all19:02
*** spzala has joined #openstack-keystone19:03
fiddletw_that get_all, isn't that the get that is getting all the users from my ldap directory?19:03
ayoungin the user object, yeah19:03
*** spzala has quit IRC19:03
*** r-daneel has joined #openstack-keystone19:03
ayounghere actually what gets hit is19:03
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/backends/ldap/core.py#n46619:03
ayoungI was wrong before19:04
ayoungit is the get_all_filtered in the GroupAPI object...not shared code19:04
ayoungbut it is roughtly the same19:04
ayoungquery = self.filter_query(hints, query)19:04
fiddletw_right that query that does the get_all_filtered, I need it to dosomething like (uid=USER_SUPPLIED_USERNAME)19:05
ayoungfilter_query is implemented here http://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/backends/ldap/common.py#n161919:05
fiddletw_and that was somewhat rhetorical on my part19:05
ayounglots of knobs have been added over the years19:05
*** spzala_ has joined #openstack-keystone19:06
fiddletw_I can see19:06
ayoungso lets back uop to where that is called, because we need that query string19:07
ayoungquery = '(%s=%s)' % (self.member_attribute,19:07
ayoung                                 user_dn_esc)19:07
*** felipemonteiro_ has joined #openstack-keystone19:07
ayoungso that would be an attribute of the posixGroup object19:08
ayoungin the config, group_memeber_attribute becomes self.member_attribute here19:08
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone.conf.sample#n128319:09
ayoungso you are going to want19:09
ayounggroup_member_attribute=memberOf19:09
ayoungI think, right?19:09
fiddletw_but I dont have memberOf19:09
ayoung[ldap] group_objectclass=posixGroups19:10
fiddletw_in my user object, I just have my uid19:10
fiddletw_but no memberOf attributes19:10
ayoungno, in the group object19:10
*** spzala_ has quit IRC19:10
fiddletw_in my group objects(standard posixGroup objectclasses) I have multiple memberUid19:10
ayoungright...that19:10
fiddletw_yeah19:10
ayounggroup_objectclass=posixGroup19:11
ayoung group_member_attribute=memberUid19:11
*** felipemonteiro__ has quit IRC19:11
fiddletw_yes, I have "group_member_attribute = memberUid"19:12
ayoungfiddletw_, so I assume you have a debuggable, non-production keystone that you can point at your LDAP server?19:12
fiddletw_yes19:12
ayoungare your logs configed to dump out the LDAP queries?19:12
fiddletw_I also have "user_id_attribute = uid"19:12
ayoungthat is for the user object19:12
fiddletw_yeah, I do19:12
ayoungso look at the query executed during a token get that lists the groups for the user19:13
fiddletw_k, just a sec19:13
ayoungit might be that you need to tweak one of the other config options, such as the tree where the groups are stored19:13
fiddletw_and also if it matters, I am running ocata19:14
fiddletw_hiopefully not too out of date19:14
fiddletw_a quick glance and I didn't see many changes from the current head19:14
fiddletw_generating logs19:16
*** spzala has joined #openstack-keystone19:16
ayoungNah, LDAP is pretty stable19:17
ayoungfiddletw_, I personally want to remove it.19:17
ayoungfiddletw_, you can do a lot of the LDAP stuff wit SSSD and Federation, using more secure auth mechanisms than Simple Bind19:17
*** itlinux has quit IRC19:17
fiddletw_for us, we have a saml provider that I'd love to integrate with19:18
fiddletw_ok, so let me explain something before I tell you what I am seeing19:21
*** spzala has quit IRC19:21
fiddletw_to help make this usable, I was able to use a custom attribute my organization as a user_filter.  However, this narrows the ldap query too much but enough that it made it so I could login to ldap19:21
fiddletw_so I had done this "user_filter = (department=XXXXX)"  its too narrow but it worked19:22
*** spzala has joined #openstack-keystone19:22
fiddletw_I was then able to login with my user and assign the user to various domain groups, etc19:22
fiddletw_I just commented out the user_filter and restarted keystone.  And I was able to successfully login.  This is not the behavior I saw last night when trying to login with no user_filter meant a timeout19:23
fiddletw_do you follow?19:24
fiddletw_the quick summary, it seems to work, but thats not what was happening last night when I had no user_filter19:25
ayounguser_filter ...19:27
ayoungthat is to find the user in the first place19:27
ayoungI thought your problem was groups?19:27
*** spzala has quit IRC19:27
ayoungOK...I think I see the problem19:28
ayoungyou only want a subset of the users from LDAP showing up in Keystone?19:28
fiddletw_yeah, at least last night, the user search was too big19:28
fiddletw_yes!19:28
ayoungsorry...I was being dense19:28
*** spzala has joined #openstack-keystone19:28
fiddletw_because I have too many users in my directory19:28
ayoungyeah. list_users should never have been allowed19:29
fiddletw_its cool. that was a good insight into how ldap is working19:29
ayoungusually there is a filter on the LDAP server only allowing a maximumn number of records to return19:29
fiddletw_yeah, I had to remove that, page_size  was it?19:29
fiddletw_wait, list_limit19:30
fiddletw_list_limit = 019:30
fiddletw_is what I set it19:30
ayoungYou might want it a little bit higher19:30
fiddletw_list_limit = 0, does that not disable the limit?19:30
ayoungI don't think that kicks in prior to LDAP though19:31
ayoungpretty sure that LDAP returns the gazillion entries, and then that just chomps them19:31
ayoungI was talking about the LDAP server itself, outside of Keystone's control19:31
fiddletw_oh, were you referring to page_size ?19:32
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone.conf.sample#n1183  is for doing it inside Keystone, yes19:32
ayoungand that might work for you as well, but looks like the posixGroup approach works for you now?19:33
*** spzala has quit IRC19:33
fiddletw_yeah, I am verifying now19:33
ayoung ldapsearch -x -H ldap://ldap.corp.redhat.com -L -b 'dc=redhat,dc=com' | grep dn: | wc -l19:35
ayoung4226719:35
fiddletw_and regardless, that was a great walkthrough on the ldap provider19:35
ayoungLooks like we don't limit19:35
ayoungshudder19:35
fiddletw_hehe19:35
*** felipemonteiro_ has quit IRC19:38
ayoungThat is a really high number...we must have a lot of entries in there for contractors and so on19:38
*** felipemonteiro__ has joined #openstack-keystone19:38
ayounganyway,  sounds like you are all set?19:38
fiddletw_for now I am19:38
ayoungfiddletw_, I highly suggest you look in to SSSD and Federation19:39
ayoungare you a Kerberos shop?19:39
fiddletw_SAML19:39
ayoungEven better19:39
ayoungSAML federation is well supported19:39
fiddletw_yeah, we want to go down  that path for sure19:39
ayoungmake sure your IDP supports ECP if you need to use CLI for it19:40
fiddletw_I'm not as familiar with SAML so not sure what that is, but I'll note it :)19:40
fiddletw_we have a whole team dedicated for that, I need to engage them. It just can be organizationally "challenging" at times19:41
ayoungfiddletw_, good luck19:42
fiddletw_thanks, if I run into other issues, I'll come back for a visit. I appreciate the LDAP tour19:43
*** itlinux has joined #openstack-keystone19:55
*** david-lyle has joined #openstack-keystone19:56
*** r-daneel has quit IRC19:59
*** spzala_ has joined #openstack-keystone20:02
*** itlinux has quit IRC20:02
*** r-daneel has joined #openstack-keystone20:08
*** spzala_ has quit IRC20:09
*** edmondsw has quit IRC20:17
*** felipemonteiro__ has quit IRC20:23
*** mordred has quit IRC20:26
*** mordred has joined #openstack-keystone20:28
*** r-daneel has quit IRC20:43
*** r-daneel has joined #openstack-keystone20:45
*** mchlumsky has quit IRC20:45
*** felipemonteiro__ has joined #openstack-keystone20:56
lbragstadin case anyone feels like double checking my work - https://review.openstack.org/#/c/557997/20:58
*** martinus__ has quit IRC21:00
*** r-daneel has quit IRC21:05
*** AlexeyAbashkin has joined #openstack-keystone21:05
*** mvk has quit IRC21:07
*** r-daneel has joined #openstack-keystone21:09
*** AlexeyAbashkin has quit IRC21:09
lbragstadayoung: kmalloc while we were talking about ldap - https://bugs.launchpad.net/keystone/+bug/175472321:13
openstackLaunchpad bug 1754723 in OpenStack Identity (keystone) "'openstack user list' is not listing userid correctly in case of LDAP" [Undecided,New]21:13
lbragstad^ that is working as designed with the shadow user stuff, right?21:13
*** edmondsw has joined #openstack-keystone21:14
*** fiddletw_ has quit IRC21:15
*** fiddletwix has joined #openstack-keystone21:15
*** edmondsw has quit IRC21:19
*** felipemonteiro__ has quit IRC21:24
*** itlinux has joined #openstack-keystone21:26
*** itlinux has quit IRC21:27
*** harlowja has joined #openstack-keystone21:28
*** sglazyrin_ has joined #openstack-keystone21:29
*** r-daneel has quit IRC21:30
*** r-daneel has joined #openstack-keystone21:31
sglazyrin_ Hello guys! I need an advice about horizon plugin and keystone. I want to keep in my horizon plugin only javascript stuff but separate backend api of my plugin into separated uwsgi process and this backend api requires the same user as horizon. Is it a proper way to configure WEBSSO for horizon and my backend api app ?21:32
*** felipemonteiro__ has joined #openstack-keystone21:33
*** marius1 has joined #openstack-keystone21:57
*** felipemonteiro__ has quit IRC22:03
ayoungsglazyrin_, one moment22:22
sglazyrin_The reason why I need it, our horizon backend part has a lot of python dependencies, and we may break the system, sure we can wrap whole horizon into separated virtualenv, but than we may break horizon functionality...22:25
ayoungsglazyrin_, I totally love the idea of the Keystone stuff being in Javascript22:32
ayoungI think, though, that you need good CORS support to make that happen.  I did a POC of that a few years back22:33
ayoungnot sure how to send the token to Horizon, which is a server side app and needs the token to make calls itself22:34
ayoungWebSSO is different22:35
ayoungthat is still passing the SAML assertion to the backend server22:35
sglazyrin_I almost managed it to work. I want to connect the handler to user_signed_in django event, then send a token (horizon token) /backend-api/auth/websso/ and I get the same session in my backend api22:36
sglazyrin_what do you think ? will it break something ? so, the flow is following: 1. when user signs in into horizon, I send a request to backend-api/websso endpoint, it starts the session from token and I got the same user...22:37
sglazyrin_I use openstack_auth auth backend in my api as well.22:38
sglazyrin_what do you mean by this ?22:40
sglazyrin_I totally love the idea of the Keystone stuff being in Javascript22:40
*** marius1 has quit IRC22:49
ayoungsglazyrin_, Itsounds cool.22:54
ayoungsglazyrin_, I totally love the idea of all of the Keystone access coming from the browser and the browser talking to the different OpenStack services directly22:55
sglazyrin_that's great idea...22:56
ayoungas far as websso goes, there is a Django based way to configure that already, so not sure if you rallly want to spend the cycles on it, but it is not a crazy idea22:56
sglazyrin_I'll take a look later, maybe I can help somehow and contribute to openstack stuff.22:56
*** r-daneel has quit IRC23:00
*** edmondsw has joined #openstack-keystone23:03
sglazyrin_do you have an article about your POC for keystone in javascript ? Just curious ?23:03
sglazyrin_maybe we can wrap it into some solution ?23:03
*** edmondsw has quit IRC23:08
*** spilla has quit IRC23:13
*** lbragstad has quit IRC23:41
« Thursday, 2018-03-29 Index Saturday, 2018-03-31 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!