Tuesday, 2018-04-10

*** gyee has quit IRC		00:11
*** zhurong has joined #openstack-keystone		00:20
*** odyssey4me has quit IRC		00:34
*** odyssey4me has joined #openstack-keystone		00:34
*** chenyb4 has joined #openstack-keystone		00:47
*** germs has joined #openstack-keystone		00:56
*** germs has quit IRC		00:56
*** germs has joined #openstack-keystone		00:56
*** namnh has joined #openstack-keystone		02:08
*** dave-mccowan has joined #openstack-keystone		02:11
*** germs has quit IRC		02:22
*** germs has joined #openstack-keystone		02:22
*** germs has quit IRC		02:22
*** germs has joined #openstack-keystone		02:22
*** germs has quit IRC		02:23
*** r-daneel has joined #openstack-keystone		02:36
*** dave-mccowan has quit IRC		02:48
*** harlowja has quit IRC		03:16
*** sonuk has joined #openstack-keystone		03:30
*** zhurong has quit IRC		03:41
*** harlowja has joined #openstack-keystone		03:57
*** marius1 has joined #openstack-keystone		04:00
*** pcaruana has joined #openstack-keystone		04:06
*** marius1 has quit IRC		04:09
*** pcaruana has quit IRC		04:16
*** germs has joined #openstack-keystone		04:23
*** germs has quit IRC		04:23
*** germs has joined #openstack-keystone		04:23
*** pcichy has joined #openstack-keystone		04:24
*** sonuk has quit IRC		04:24
*** annp has quit IRC		04:25
*** sonuk has joined #openstack-keystone		04:25
*** annp has joined #openstack-keystone		04:25
*** germs has quit IRC		04:29
*** dikonoor has joined #openstack-keystone		05:08
*** links has joined #openstack-keystone		05:11
*** pcichy has quit IRC		05:25
*** dikonoor has quit IRC		05:37
*** dikonoor has joined #openstack-keystone		05:37
*** pcichy has joined #openstack-keystone		05:39
*** germs has joined #openstack-keystone		05:47
*** germs has quit IRC		05:47
*** germs has joined #openstack-keystone		05:47
*** marius1 has joined #openstack-keystone		05:47
*** germs has quit IRC		05:51
*** belmoreira has joined #openstack-keystone		06:00
*** jaosorior has quit IRC		06:04
*** namnh has quit IRC		06:18
*** AlexeyAbashkin has joined #openstack-keystone		06:32
*** jaosorior has joined #openstack-keystone		06:37
*** pcaruana has joined #openstack-keystone		06:40
*** harlowja has quit IRC		06:40
*** rcernin has quit IRC		06:41
*** martinus__ has joined #openstack-keystone		06:44
*** AlexeyAbashkin has quit IRC		06:49
*** AlexeyAbashkin has joined #openstack-keystone		06:50
*** AlexeyAbashkin has quit IRC		06:54
openstackgerrit	wangxiyuan proposed openstack/keystonemiddleware master: Double quote www_authenticate_uri https://review.openstack.org/559925	07:00
*** AlexeyAbashkin has joined #openstack-keystone		07:02
*** tesseract has joined #openstack-keystone		07:19
*** jaosorior has quit IRC		07:23
*** jaosorior has joined #openstack-keystone		07:27
*** dikonoo has joined #openstack-keystone		07:30
*** dikonoor has quit IRC		07:30
*** jhesketh_ has joined #openstack-keystone		07:31
*** dangtrinhnt has joined #openstack-keystone		07:33
*** jhesketh has quit IRC		07:37
*** hoonetorg has quit IRC		07:38
*** belmoreira has quit IRC		07:43
*** germs has joined #openstack-keystone		07:48
*** germs has quit IRC		07:48
*** germs has joined #openstack-keystone		07:48
*** hoonetorg has joined #openstack-keystone		07:52
*** germs has quit IRC		07:53
*** AlexeyAbashkin has quit IRC		07:53
*** AlexeyAbashkin has joined #openstack-keystone		07:56
*** dangtrinhnt has quit IRC		08:13
*** mvk has quit IRC		08:28
*** mvk has joined #openstack-keystone		08:58
*** belmoreira has joined #openstack-keystone		09:03
*** pcaruana has quit IRC		09:04
*** links has quit IRC		09:18
*** dikonoo has quit IRC		09:20
*** mvk has quit IRC		09:33
*** links has joined #openstack-keystone		09:33
*** mvk has joined #openstack-keystone		09:46
*** germs has joined #openstack-keystone		09:49
*** germs has quit IRC		09:49
*** germs has joined #openstack-keystone		09:49
*** germs has quit IRC		09:53
*** marius1 has quit IRC		10:41
*** chenyb4 has quit IRC		10:49
*** sonuk has quit IRC		11:17
*** links has quit IRC		11:26
*** sonuk has joined #openstack-keystone		11:28
*** links has joined #openstack-keystone		11:40
*** markvoelker has joined #openstack-keystone		11:40
*** zhurong has joined #openstack-keystone		11:54
*** marius1 has joined #openstack-keystone		11:59
*** odyssey4me has quit IRC		12:00
*** odyssey4me has joined #openstack-keystone		12:00
*** openstackgerrit has quit IRC		12:04
*** sonuk has quit IRC		12:11
*** raildo has joined #openstack-keystone		12:17
*** edmondsw has joined #openstack-keystone		12:17
*** dave-mccowan has joined #openstack-keystone		12:19
*** edmondsw has quit IRC		12:28
*** openstackgerrit has joined #openstack-keystone		12:29
openstackgerrit	Johannes Grassler proposed openstack/keystone-specs master: Add capabilities to application credentials https://review.openstack.org/396331	12:29
*** spilla has joined #openstack-keystone		12:32
*** marius1 has quit IRC		12:36
*** panbalag has joined #openstack-keystone		12:37
*** marius1 has joined #openstack-keystone		12:37
*** pcaruana has joined #openstack-keystone		12:44
*** panbalag has left #openstack-keystone		12:45
*** chenyb4 has joined #openstack-keystone		12:46
*** jaosorior has quit IRC		12:50
*** edmondsw has joined #openstack-keystone		12:51
*** zhurong has quit IRC		12:54
*** zhurong has joined #openstack-keystone		12:59
*** chenyb4 has quit IRC		13:07
*** zhurong has quit IRC		13:13
*** marius1 has quit IRC		13:17
*** marius11 has joined #openstack-keystone		13:17
*** marius11 has quit IRC		13:20
*** marius1 has joined #openstack-keystone		13:20
*** dklyle has quit IRC		13:33
*** cristicalin has joined #openstack-keystone		13:42
*** marius1 has quit IRC		13:42
*** lbragstad has joined #openstack-keystone		13:42
*** ChanServ sets mode: +o lbragstad		13:42
*** cristicalin has quit IRC		13:47
*** cristicalin has joined #openstack-keystone		13:47
*** awestin1 has quit IRC		13:48
*** awestin1 has joined #openstack-keystone		13:49
*** betherly has quit IRC		13:56
*** betherly has joined #openstack-keystone		13:57
*** r-daneel has quit IRC		14:02
*** ildikov has quit IRC		14:08
*** ildikov has joined #openstack-keystone		14:09
*** links has quit IRC		14:13
*** mnaser has quit IRC		14:15
*** mnaser has joined #openstack-keystone		14:16
*** markvoelker_ has joined #openstack-keystone		14:18
*** portdirect has quit IRC		14:19
*** portdirect has joined #openstack-keystone		14:19
*** markvoelker has quit IRC		14:21
*** samueldmq has quit IRC		14:21
*** samueldmq has joined #openstack-keystone		14:21
*** r-daneel has joined #openstack-keystone		14:22
*** tommylikehu has quit IRC		14:26
*** tommylikehu has joined #openstack-keystone		14:26
*** wxy has quit IRC		14:27
*** wxy has joined #openstack-keystone		14:27
*** dikonoor has joined #openstack-keystone		14:28
*** lamt has quit IRC		14:29
*** lamt has joined #openstack-keystone		14:29
*** lamt is now known as Guest29810		14:29
*** knikolla has quit IRC		14:30
*** knikolla has joined #openstack-keystone		14:30
*** r-daneel has quit IRC		14:32
*** r-daneel has joined #openstack-keystone		14:35
*** jamespage has quit IRC		14:36
*** felipemonteiro has joined #openstack-keystone		14:36
*** jamespage has joined #openstack-keystone		14:36
*** markvoelker has joined #openstack-keystone		14:36
knikolla	o/	14:38
*** markvoelker_ has quit IRC		14:39
*** markvoelker_ has joined #openstack-keystone		14:42
*** Guest29810 is now known as lamt		14:42
*** markvoelker has quit IRC		14:44
*** markvoelker has joined #openstack-keystone		14:46
*** dklyle has joined #openstack-keystone		14:46
gagehugo	o/	14:47
*** felipemonteiro_ has joined #openstack-keystone		14:47
*** markvoelker_ has quit IRC		14:49
*** markvoelker_ has joined #openstack-keystone		14:49
*** felipemonteiro has quit IRC		14:51
*** markvoelker has quit IRC		14:53
*** mvk has quit IRC		14:53
*** markvoelker has joined #openstack-keystone		14:56
*** markvoelker_ has quit IRC		14:58
*** wxy\| has joined #openstack-keystone		15:00
*** markvoelker_ has joined #openstack-keystone		15:05
*** markvoelker_ has quit IRC		15:08
*** markvoelker has quit IRC		15:09
*** markvoelker has joined #openstack-keystone		15:10
*** markvoelker_ has joined #openstack-keystone		15:10
hrybacki	o/	15:12
*** markvoelker has quit IRC		15:15
*** belmoreira has quit IRC		15:17
*** r-daneel_ has joined #openstack-keystone		15:25
*** r-daneel has quit IRC		15:26
*** r-daneel_ is now known as r-daneel		15:26
*** gyee has joined #openstack-keystone		15:31
*** AlexeyAbashkin has quit IRC		15:33
lbragstad	o/	15:35
hrybacki	lbragstad: FYI I'm gonna be in-and-out all afternoon (tons of meetings I'm getting pulled into today)	15:43
lbragstad	hrybacki: thanks for the heads up	15:44
hrybacki	ack. I'll be in the weekly meeting though	15:45
lbragstad	cool	15:45
*** AlexeyAbashkin has joined #openstack-keystone		15:47
*** thomasduval has joined #openstack-keystone		15:51
*** germs has joined #openstack-keystone		15:51
*** germs has quit IRC		15:51
*** germs has joined #openstack-keystone		15:51
*** cristicalin has quit IRC		15:52
*** germs has quit IRC		15:56
lbragstad	reminder that the keystone team meeting is starting in a minute in #openstack-meeting-alt	15:59
SamYaple	this might be an olso.log question.. but im noticing when running keystone behind uwsgi that when it spits out the DEBUG running config the name of application is 'uwsgi' in logging	15:59
SamYaple	on glance, it is 'glance.common.config'	15:59
SamYaple	so i have to filter for (^keystone\|^uwsgi) on keystone, but only (^glance) for glance	16:00
*** edmondsw has quit IRC		16:00
SamYaple	is there anything i can do to get the module to report something a bit more 'keystone' named	16:00
*** edmondsw has joined #openstack-keystone		16:01
kmalloc	SamYaple: it is likely uwsgi is configurable	16:01
kmalloc	SamYaple: i haven't looked though	16:01
SamYaple	kmalloc: my knowledge of uwsgi as relates to python logging approaches zero, do you have a param or option for me to start searching for in uwsgi to control the name?	16:02
SamYaple	im running glance behind uwsgi as well, same configuration	16:03
kmalloc	ah	16:03
kmalloc	you might need to supply a keystone-specific uwsgi with logging prefix or some such	16:03
kmalloc	i'll look post meeting/lunch	16:03
kmalloc	and see if i can help you. FWIW, I'm setting up an openstack for my home network today, so I'll specifically poke at that	16:04
SamYaple	ok yea, this is really a non-critical issue	16:04
SamYaple	im just working on openstack logging right now for my company	16:05
SamYaple	appreciate the comments	16:05
openstackgerrit	Merged openstack/keystone-specs master: Add capabilities to application credentials https://review.openstack.org/396331	16:16
*** eschwartz is now known as anyone		16:18
*** timss has quit IRC		16:20
*** felipemonteiro_ has quit IRC		16:27
*** blake has joined #openstack-keystone		16:27
*** felipemonteiro_ has joined #openstack-keystone		16:27
gagehugo	I should be back after awhile, may not make the rest of the meeting though	16:31
*** jessegler has joined #openstack-keystone		16:31
*** cristicalin has joined #openstack-keystone		16:49
*** felipemonteiro__ has joined #openstack-keystone		16:53
*** marius1 has joined #openstack-keystone		16:55
*** thomasduval has quit IRC		16:57
*** felipemonteiro_ has quit IRC		16:57
*** AlexeyAbashkin has quit IRC		16:59
*** dikonoor has quit IRC		17:00
lbragstad	#startmeeting keystone-office-hours	17:01
openstack	lbragstad: Error: Can't start another meeting, one is in progress. Use #endmeeting first.	17:01
*** blake has quit IRC		17:01
lbragstad	#endmeeting	17:01
*** openstack changes topic to "Rocky release schedule: https://releases.openstack.org/rocky/schedule.html \| Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting \| Bugs that need triaging: http://bit.ly/2iJuN1h \| Trello: https://trello.com/b/wmyzbFq5/keystone-rocky-roadmap"		17:01
openstack	Meeting ended Tue Apr 10 17:01:30 2018 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)	17:01
openstack	Minutes: http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-04-03-17.01.html	17:01
openstack	Minutes (text): http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-04-03-17.01.txt	17:01
openstack	Log: http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-04-03-17.01.log.html	17:01
lbragstad	#startmeeting keystone-office-hours	17:01
openstack	Meeting started Tue Apr 10 17:01:45 2018 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.	17:01
openstack	Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.	17:01
*** openstack changes topic to " (Meeting topic: keystone-office-hours)"		17:01
*** ChanServ changes topic to "Rocky release schedule: https://releases.openstack.org/rocky/schedule.html \| Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting \| Bugs that need triaging: http://bit.ly/2iJuN1h \| Trello: https://trello.com/b/wmyzbFq5/keystone-rocky-roadmap"		17:01
openstack	The meeting name has been set to 'keystone_office_hours'	17:01
lbragstad	well - sorry about that	17:02
lbragstad	i apparently forgot to end the meeting last week	17:02
lbragstad	despite my efforts - http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-04-03-17.01.log.html#l-41	17:02
lbragstad	must have been issues it the openstack bot	17:03
lbragstad	with*	17:03
lbragstad	i'll be back in about 15 to 20 minutes	17:03
wxy\|	lbragstad: https://review.openstack.org/#/c/558489/ replied the question for the test code. I'll address other comments tomorrow.	17:03
lbragstad	wxy\|: awesome	17:03
lbragstad	i'll review the hierarchical limits specs	17:03
wxy\|	thanks	17:04
*** wxy\| has quit IRC		17:05
*** AlexeyAbashkin has joined #openstack-keystone		17:07
*** mugsie has joined #openstack-keystone		17:10
*** david-lyle has joined #openstack-keystone		17:10
mugsie	so, random question - I know in the past project IDs could be basically any string ... has that changed? or is project id's being UUIDs just the default so that is all anyone sees?	17:11
*** AlexeyAbashkin has quit IRC		17:12
*** blake has joined #openstack-keystone		17:13
*** itlinux has joined #openstack-keystone		17:14
*** dklyle has quit IRC		17:14
SamYaple	mugsie: my ldap projects are much longer than uuid4s still	17:14
mugsie	SamYaple: that is what I thought :) just wanted to confirm before blocking a patch :)	17:14
mugsie	thanks!	17:15
*** tesseract has quit IRC		17:16
*** annp has quit IRC		17:17
*** annp has joined #openstack-keystone		17:18
*** cristicalin has quit IRC		17:21
*** nicolasbock has joined #openstack-keystone		17:24
*** openstackgerrit has quit IRC		17:34
*** r-daneel_ has joined #openstack-keystone		17:35
*** r-daneel has quit IRC		17:36
*** r-daneel_ is now known as r-daneel		17:36
kmalloc	lbragstad: back	17:38
kmalloc	mugsie: Keystone is very opinionated	17:38
kmalloc	mugsie: project_ids are intended to be uuid4	17:39
kmalloc	mugsie: legacy stuff that included ldap may not have been limited to uuid4	17:39
mugsie	I knew it was the long term plan, but if there is still people out there using non uuid IDs, I can't allow a patch that enforces it on people	17:40
kmalloc	hold on, let me give you our specific table sizes	17:40
mugsie	i.e. I know the hp public cloud had ints back in the day	17:40
mugsie	its a string(64) afaik	17:40
kmalloc	that will break keystone.	17:40
kmalloc	so you can give that guidance.	17:40
*** blake has quit IRC		17:40
kmalloc	mugsie: id = sql.Column(sql.String(64), primary_key=True)	17:41
mugsie	kmalloc: thanks	17:42
kmalloc	mugsie: we allow for 64bytes, so a sha256 (we use that in some caseS) for ids	17:43
kmalloc	it may not be a uuid4, it might be a sha256 hexdigest	17:43
kmalloc	if someone proposes a patch that enforces uuid or less than 64bytes, we cannot guarantee we wont break you	17:44
mugsie	yeah - the patch is for uuidutils.is_uuid_like(project_id)	17:44
kmalloc	yeah i'd -2 that	17:44
* mugsie wang		17:44
kmalloc	and never let it land	17:44
kmalloc	:)	17:44
mugsie	damn	17:44
kmalloc	we may go to 64bytes for ids.	17:44
* mugsie wants to wait for the keystone unified limits		17:44
kmalloc	we may not, we future planned	17:44
kmalloc	but we will be opinionated we should generate the ids	17:45
kmalloc	:)	17:45
kmalloc	if that helps ya	17:45
mugsie	the problem is people are setting quotas on non existant projects, and want a way to validate the input - but this helps a lot :) I wanted to make sure I was right in my suspissions	17:45
kmalloc	:)	17:46
kmalloc	we're working on the limit things	17:46
kmalloc	but it is slow =/	17:46
kmalloc	mugsie: man, i need to get my openstack control plane up and running	17:47
lbragstad	kmalloc: we wrapped up the meeting talking about the domain to idp mappings	17:49
kmalloc	lbragstad: cool.	17:50
*** jaosorior has joined #openstack-keystone		17:50
lbragstad	and if there is a use case to have more than one domain per idp	17:50
kmalloc	there could be.	17:50
kmalloc	but that said, you could make it work with a 1-per restriction	17:51
*** germs has joined #openstack-keystone		17:52
*** germs has quit IRC		17:52
*** germs has joined #openstack-keystone		17:52
*** david-lyle has quit IRC		17:53
*** dklyle has joined #openstack-keystone		17:54
lbragstad	we had someone in boston ask for multiple domains per identity provider	17:56
lbragstad	i specifically remember that	17:56
*** germs has quit IRC		17:56
lbragstad	kmalloc: how would you do it with a workaround?	18:00
kmalloc	assignments cross domains	18:01
lbragstad	oh - from the shadow user across domains you mean?	18:02
kmalloc	yeah, just assign the role for the <user> to <domain1> <domain2> whatever	18:02
lbragstad	i suppose	18:02
lbragstad	that would work	18:02
lbragstad	since that's an option, i don't really see a reason to not have a one to one mapping	18:03
kmalloc	yeh	18:03
lbragstad	between identity providers and domains	18:03
*** dikonoor has joined #openstack-keystone		18:04
kmalloc	you can also register another idp in the system if you need clear isolation	18:04
kmalloc	e.g. some users in domain x and some in y	18:04
kmalloc	the same idp could be used multiple times.	18:04
kmalloc	a flat 1-to-1 mapping is not really needed. but also explicitly multiple domains per idp isn't needed afaict	18:05
kmalloc	without knowing more use-case specifics	18:05
*** Pete_ has joined #openstack-keystone		18:05
Pete_	hello	18:06
lbragstad	kmalloc: sure	18:06
lbragstad	Pete_: hi	18:07
*** germs has joined #openstack-keystone		18:12
*** germs has quit IRC		18:12
*** germs has joined #openstack-keystone		18:12
*** r-daneel_ has joined #openstack-keystone		18:16
*** r-daneel has quit IRC		18:17
*** r-daneel_ is now known as r-daneel		18:17
*** panbalag has joined #openstack-keystone		18:22
*** harlowja has joined #openstack-keystone		18:25
*** panbalag has left #openstack-keystone		18:26
*** openstackgerrit has joined #openstack-keystone		18:27
openstackgerrit	Gage Hugo proposed openstack/keystone master: Move fernet doctor checks into tokens checks https://review.openstack.org/527527	18:27
*** oikiki has joined #openstack-keystone		18:28
*** marius1 has quit IRC		18:35
*** AlexeyAbashkin has joined #openstack-keystone		18:36
lbragstad	gagehugo: with https://review.openstack.org/#/c/555196/	18:46
lbragstad	when you generate the api-ref, where are you seeing the changes?	18:46
lbragstad	i've tried generating the API reference with and without the change, but i don't notice a difference	18:46
*** mvk has joined #openstack-keystone		18:47
*** jaosorior has quit IRC		18:48
*** germs has quit IRC		18:49
*** germs has joined #openstack-keystone		18:51
*** germs has quit IRC		18:51
*** germs has joined #openstack-keystone		18:51
*** germs has quit IRC		18:58
*** timss has joined #openstack-keystone		19:04
*** openstackgerrit has quit IRC		19:04
*** marius1 has joined #openstack-keystone		19:17
*** openstackgerrit has joined #openstack-keystone		19:18
openstackgerrit	Gage Hugo proposed openstack/keystone master: Update keystone functional tests https://review.openstack.org/560129	19:18
gagehugo	lbragstad I looked at that locally vs the latest page	19:26
gagehugo	under "code documentation" it's a bit different	19:26
gagehugo	oh	19:26
gagehugo	not the api-ref	19:27
gagehugo	the docs that are auto-generated via sphinx-apidocs	19:27
lbragstad	oh	19:27
lbragstad	checking that quick	19:27
lbragstad	gagehugo: you compared them to https://docs.openstack.org/keystone/latest/ ?	19:28
gagehugo	ye	19:30
gagehugo	the toctree is a bit different here: https://docs.openstack.org/keystone/latest/api/modules.html	19:31
gagehugo	vs change	19:31
gagehugo	it looks like it's nesting differently, but the info ends up being there	19:31
lbragstad	some of the configuration options look different too	19:31
Pete_	need help	19:31
Pete_	Error: Could not prefetch keystone_role provider 'openstack': Execution of '/bin/openstack role list --quiet --format csv' returned 1: SSL exception connecting to https://127.0.0.1:35357/v3/roles: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579) (tried 47, for a total of 170 seconds) Error: Not managing Keystone_role[_member_] due to earlier Keystone API failures. Error: /Stage[main]/Pra_openstack::Ke	19:32
Pete_	What is this and how to fix	19:32
Pete_	we config the admin_url/public_url as "https://<fqdn>:35357"	19:32
Pete_	but why "/bin/openstack role list" talks to 127.0.0.1 instead?	19:33
gagehugo	hmm	19:33
*** pcichy has quit IRC		19:33
Pete_	the scenario is like this, in an existing env which keystone/and other components runs w/o SSL	19:34
Pete_	we are putting change through puppet to setup SSL for keystone	19:34
Pete_	change admin/public_url from "http" to "https" using the same port "5000/35357"	19:34
Pete_	and provides "ssl_cert, ssl_key, ssl_cacert, use_ssl=true" to start keystone	19:35
*** pcichy has joined #openstack-keystone		19:35
lbragstad	openstack cli should look for an auth url to authenticate against	19:36
lbragstad	are you sure openstack client is finding that?	19:36
Pete_	when you say "openstack client" you mean "/bin/openstack"?	19:37
lbragstad	yeah - is that python-openstackclient?	19:37
lbragstad	https://pypi.python.org/pypi/python-openstackclient	19:37
Pete_	I can't tell	19:38
Pete_	from where the openstack client get the auth_url?	19:38
Pete_	from the 'table keystone" or from env vars?	19:38
lbragstad	openstackclient can get the auth url a couple different ways	19:38
lbragstad	one of the most common is it use environment variables	19:39
lbragstad	https://docs.openstack.org/python-openstackclient/latest/cli/man/openstack.html#authentication-methods	19:39
lbragstad	is to use*	19:39
Pete_	export OS_AUTH_URL="http://piab1-praccn1-1-piab.eng.sfdc.net:35357/v3" export OS_IDENTITY_API_VERSION="3" export OS_IMAGE_API_VERSION="2"	19:40
Pete_	export OS_PROJECT_DOMAIN_NAME="Default" export OS_PROJECT_NAME="admin" export OS_USERNAME="admin" export OS_USER_DOMAIN_NAME="Default"	19:40
Pete_	export OS_PASSWORD="blabla"	19:40
Pete_	that is the env vars setting	19:40
*** markvoelker_ has quit IRC		19:41
*** markvoelker has joined #openstack-keystone		19:41
lbragstad	ok - are you able to get a token?	19:41
lbragstad	using `openstack token issue` for example?	19:42
Pete_	how?	19:42
Pete_	declare -x OS_AUTH_URL="https://piab1-praccn1-1-piab.eng.sfdc.net:35357/v3"	19:43
Pete_	i changed this	19:43
Pete_	run "openstack user list"	19:43
Pete_	[centos@piab1-praccn1-1-piab ~]$ openstack user list Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL. SSL exception connecting to https://piab1-praccn1-1-piab.eng.sfdc.net:35357/v3/auth/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)	19:43
lbragstad	that still looks like a certificate error	19:44
Pete_	but I run "openssl" to verify the cert/key are fine	19:44
lbragstad	did you use the upstream openstack puppet modules to setup SSL	19:45
lbragstad	if so, the puppet team might be able to help	19:45
*** panbalag has joined #openstack-keystone		19:45
*** markvoelker has quit IRC		19:45
*** jessegler has quit IRC		19:45
Pete_	we use github/puppet-keystone	19:46
Pete_	https://github.com/openstack/puppet-keystone/	19:47
lbragstad	yeah - the folks in #puppet-openstack might be able to help	19:48
lbragstad	from what i can tell, it looks like an issue with the certificates	19:48
lbragstad	which means the request likely isn't even getting to the keystone application yet	19:49
Pete_	'/bin/openstack role list --quiet --format csv' returned 1: SSL exception connecting to https://127.0.0.1:35357/v3/roles:	19:50
Pete_	anyidea	19:50
Pete_	why "/bin/openstack role list" talk to 127.0.0.1	19:50
*** markvoelker has joined #openstack-keystone		19:54
lbragstad	how is your service catalog setup/	19:54
lbragstad	?	19:54
Pete_	what command to run?	19:55
Pete_	whatever command "openstack" I ran all hit	19:55
Pete_	Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL. SSL exception connecting to https://piab1-praccn1-1-piab.eng.sfdc.net:35357/v3/auth/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)	19:56
lbragstad	yeah - thats an ssl error	19:56
Pete_	any idea how to trouble shoot it?	19:57
lbragstad	when you setup the service catalog, how did you do it?	19:57
Pete_	this is an existing env which was setup before	20:00
lbragstad	do you know what was used to set it up? was it setup using puppet?	20:00
*** pcaruana has quit IRC		20:01
Pete_	yes	20:01
Pete_	class { '::keystone': admin_token => $::pra_openstack::constant::keystone_admin_token, admin_password => $::pra_openstack::config::keystone_admin_pwd, database_connection => "mysql+pymysql://keystone_admin:${keystone_cfg_ks_db_pw}@${keystone_cfg_mariadb_host}/keystone", token_provider => 'fernet', enable_fernet_setup => true, debug => $::pra_openstack::constant::debu	20:02
Pete_	we just add enable_ssl => true	20:02
Pete_	ssl_certfile=>	20:03
Pete_	ssl_keyfile=>	20:03
Pete_	ssl_ca_certs	20:03
Pete_	validate_insecure=> true	20:03
Pete_	to config keystone with SSL	20:03
lbragstad	just a heads up, but http://paste.openstack.org/ helps if you have a bunch of information	20:03
lbragstad	often times pastes don't turnout well in IRC due to formatting	20:04
Pete_	http://paste.openstack.org/show/718860/	20:05
lbragstad	awesome - thanks	20:05
lbragstad	public_bind_host and admin_bind_host are commented out	20:05
Pete_	first we didn't comment them out, but the same failure	20:06
lbragstad	i'm not very familiar with how openstack puppet does their orchestration, but someone in #puppet-openstack might	20:07
openstackgerrit	Gage Hugo proposed openstack/keystone master: Have project get domain_id from parent https://review.openstack.org/489655	20:07
Pete_	ok, i will try taht channel, thx	20:10
*** Pete_ has left #openstack-keystone		20:10
*** AlexeyAbashkin has quit IRC		20:16
*** AlexeyAbashkin has joined #openstack-keystone		20:17
*** markvoelker_ has joined #openstack-keystone		20:17
*** markvoelker has quit IRC		20:21
*** AlexeyAbashkin has quit IRC		20:25
*** pcichy has quit IRC		20:32
*** panbalag has left #openstack-keystone		20:33
*** raildo has quit IRC		20:44
*** dikonoor has quit IRC		20:52
*** dikonoor has joined #openstack-keystone		20:54
*** felipemonteiro__ has quit IRC		20:56
lbragstad	#endmeeting	21:08
*** openstack changes topic to "Rocky release schedule: https://releases.openstack.org/rocky/schedule.html \| Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting \| Bugs that need triaging: http://bit.ly/2iJuN1h \| Trello: https://trello.com/b/wmyzbFq5/keystone-rocky-roadmap"		21:08
openstack	Meeting ended Tue Apr 10 21:08:26 2018 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)	21:08
openstack	Minutes: http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-04-10-17.01.html	21:08
openstack	Minutes (text): http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-04-10-17.01.txt	21:08
openstack	Log: http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-04-10-17.01.log.html	21:08
*** jrist has quit IRC		21:14
*** dikonoor has quit IRC		21:16
*** mchlumsky has quit IRC		21:21
*** martinus__ has quit IRC		21:22
*** mchlumsky has joined #openstack-keystone		21:24
*** mchlumsky has quit IRC		21:27
*** marius1 has quit IRC		21:36
*** jrist has joined #openstack-keystone		21:41
*** edmondsw has quit IRC		21:42
*** edmondsw has joined #openstack-keystone		21:42
*** edmondsw has quit IRC		21:43
*** harsha has joined #openstack-keystone		21:46
harsha	Hello, does anyone know if keystone supports exponential backout or some sort of hardening mechanism to handle multiple failed login attempts(DDOS)... is there a conf to handle that?	21:47
*** marius1 has joined #openstack-keystone		21:49
*** marius1 has quit IRC		21:53
*** Pete__ has joined #openstack-keystone		21:54
Pete__	We have an existing env running keystone/other components in non-SSL and in the process of setting keystone w/ SSL and hit an issue	21:55
Pete__	We configured ::keystone with ssl_cert, ssl_key, ssl_ca, usessl=>true	21:56
Pete__	and run puppet	21:56
*** germs has joined #openstack-keystone		21:56
*** germs has quit IRC		21:56
*** germs has joined #openstack-keystone		21:56
Pete__	Notice: /Stage[main]/Glance::Deps/Anchor[glance::dbsync::end]: Triggered 'refresh' from 1 events Notice: /Stage[main]/Apache::Service/Service[httpd]: Triggered 'refresh' from 8 events Error: Could not prefetch keystone_role provider 'openstack': Execution of '/bin/openstack role list --quiet --format csv' returned 1: SSL exception connecting to https://127.0.0.1:35357/v3/roles: [SSL: CERTIFICATE_VERIFY_FAILED] certificate	21:56
Pete__	the admin_url we configured is "https://<fqdn>:35357"	21:56
*** adriant has quit IRC		21:59
*** adriant has joined #openstack-keystone		21:59
*** harsha has quit IRC		22:05
*** edmondsw has joined #openstack-keystone		22:09
*** edmondsw has quit IRC		22:10
*** harsha has joined #openstack-keystone		22:15
*** itlinux has quit IRC		22:15
Pete__	but the command "/usr/openstack user list" failed at "SSL exception connecting to 127.0.0.1"	22:16
Pete__	does anyone know why?	22:16
lbragstad	harsha: yeah - we have some support for pci dss	22:17
harsha	lbragstad: https://specs.openstack.org/openstack/keystone-specs/specs/keystone/newton/pci-dss.html -- >this doc says it's not yet supported	22:20
lbragstad	harsha: https://docs.openstack.org/keystone/latest/admin/identity-security-compliance.html#setting-an-account-lockout-threshold	22:21
lbragstad	i think that feature came after the newton release	22:21
harsha	lbragstad thanks for the info :)	22:22
lbragstad	no problem	22:22
*** rcernin has joined #openstack-keystone		22:23
*** oikiki has quit IRC		22:40
*** lbragstad has quit IRC		22:42
openstackgerrit	Tim Burke proposed openstack/keystonemiddleware master: Properly zero out max_retries in test_http_error_not_cached_token https://review.openstack.org/547228	22:43
*** dave-mccowan has quit IRC		22:49
openstackgerrit	Tim Burke proposed openstack/keystonemiddleware master: Only include response body if there's a response https://review.openstack.org/538108	22:49
*** r-daneel has quit IRC		22:59
*** r-daneel has joined #openstack-keystone		22:59
*** harsha has quit IRC		23:04
*** lbragstad has joined #openstack-keystone		23:09
*** ChanServ sets mode: +o lbragstad		23:09
*** Pete__ has quit IRC		23:10
*** adriant has quit IRC		23:11
*** adriant has joined #openstack-keystone		23:12
*** spilla has quit IRC		23:12
*** r-daneel has quit IRC		23:14
*** adriant has quit IRC		23:46
*** adriant has joined #openstack-keystone		23:47

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!